Windows Analysis Report
wjpP1EOX0L.exe

Overview

General Information

Sample name:	wjpP1EOX0L.exe renamed because original name is a hash value
Original sample name:	7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0.exe
Analysis ID:	1558734
MD5:	34dc961fe0a98ea779d7b673a48c77a0
SHA1:	7f3cf770da67a60d60c79c82df85eef66eb80d8e
SHA256:	7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0
Tags:	crypto-st--artexeuser-JAMESWT_MHT
Infos:

Detection

TVrat

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected TVrat

AI detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
TeamSpy, TVRAT		No Attribution	https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/ https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk	https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy

Signatures

AV Detection

Yara detected TVrat

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.3% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F21A0 CryptHashData,	10_2_6B8F21A0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F21C0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	10_2_6B8F21C0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F2160 CryptAcquireContextA,CryptCreateHash,	10_2_6B8F2160
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F20A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	10_2_6B8F20A0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8D8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	10_2_6B8D8010

Source: ast.exe, 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_8a9c27f0-a

Uses 32bit PE files

Source: wjpP1EOX0L.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50154 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50160 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50190 version: TLS 1.2

Source: wjpP1EOX0L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2089288252.00000000035B2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2999895866.000000006BE30000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
Source:	Binary string: vcruntime140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcomp140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2094846139.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.dr
Source:	Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000009.00000003.2097728621.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, msvcr120.dll.9.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbnes\AppData\Roaming\im\ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb\*D{ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: vcomp140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\AppData\Roaming\im\ast.exe

Code function: 11_2_07065021 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,

11_2_07065021

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49876 -> 212.193.169.65:44335
Source: global traffic	TCP traffic: 192.168.2.4:50015 -> 195.19.105.66:44444

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 256
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:vKlGnpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:I*K1pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:6otL?:pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:mF$~Wpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\im\ast.exe

Code function: 10_2_6B9009F0 recv,send,WSAGetLastError,

10_2_6B9009F0

Source: global traffic	DNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai
Source: global traffic	DNS traffic detected: DNS query: trs011.xn--80akicokc0aablc.xn--p1ai
Source: global traffic	DNS traffic detected: DNS query: crypto-st.art

Source: unknown

HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269

Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, is-VCJTB.tmp.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, is-VCJTB.tmp.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ast.exe, 0000000A.00000002.2980985284.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php
Source: ast.exe, 0000000A.00000003.2973573202.0000000006088000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953370709.000000000608B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f40;a~8
Source: ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66
Source: ast.exe, 0000000A.00000003.2947103567.000000000609D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66-80akicokc0aablc.x
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66/
Source: ast.exe, 0000000A.00000002.2992930514.0000000006088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b660
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b667
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66G
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Q
Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Y
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66c
Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66e
Source: ast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66h
Source: ast.exe, 0000000A.00000003.2888461757.0000000006091000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66ln241119_8036.log
Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66m
Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66u
Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66w
Source: ast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.phpy
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-VCJTB.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr60;
Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/e
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types?fr
Source: ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesYfT
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesntime1
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typespeg-tu
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesw)u
Source: ast.exe.9.dr	String found in binary or memory: http://www.indyproject.org/
Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000000.1712569015.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wjpP1EOX0L.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: wjpP1EOX0L.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: wjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022C2000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000002.00000003.2098213335.00000000022A5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kngstr.com/?PreDefines.ish
Source: wjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022AC000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1710614762.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1713559295.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021FD000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.000000000234D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kngstr.com/?PreDefines.ishAbout
Source: wjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021F5000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.0000000002345000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kngstr.com/?PreDefines.isha
Source: ast.exe.9.dr	String found in binary or memory: http://www.openssl.org/)
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000361A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.dr	String found in binary or memory: http://www.openssl.org/V
Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000000.1712569015.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wjpP1EOX0L.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515695685.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.dr	String found in binary or memory: https://curl.haxx.se/V
Source: ast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.dr	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: ast.exe, ast.exe, 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ast.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: ast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888384413.000000000609F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn-
Source: ast.exe, 0000000A.00000002.2996363895.0000000008F8C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akico
Source: ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aa
Source: ast.exe, 0000000A.00000003.2696699050.000000000608A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--
Source: ast.exe.9.dr	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai03
Source: ast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai443...
Source: ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:
Source: ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2696026958.00000000060F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
Source: ast.exe, 0000000A.00000003.2551675843.0000000006097000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2561692182.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525993259.0000000006099000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443%
Source: ast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443&w
Source: ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-
Source: ast.exe, 0000000A.00000002.2982914474.000000000319B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2472544479.00000000060BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43AW
Source: ast.exe, 0000000A.00000003.2877051123.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2993259885.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2429957558.0000000006092000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2907031061.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
Source: ast.exe, 0000000A.00000002.2993259885.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/5
Source: ast.exe, 0000000A.00000003.2787353293.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/6
Source: ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.log
Source: ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.logw
Source: ast.exe, 0000000A.00000003.2746410358.00000000070B1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935989467.0000000006091000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.000000000609D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2826372339.00000000070C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2745744616.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2429957558.0000000006092000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2972708017.00000000070C1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730238261.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2973227337.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2826675676.0000000006087000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819180112.00000000070C4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2825441021.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888384413.000000000609F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2771015394.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2877395342.000000000607B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
Source: ast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/og
Source: ast.exe, 0000000A.00000002.2988967323.00000000042E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4430
Source: ast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4430wo~
Source: ast.exe, 0000000A.00000003.2526279673.000000000607B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
Source: ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
Source: ast.exe, 0000000A.00000003.2452834986.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/
Source: ast.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335:
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F4B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335y
Source: ast.exe, 0000000A.00000003.2819563853.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992930514.00000000060A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4434lo~p
Source: ast.exe, 0000000A.00000003.2551550301.00000000060F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443:
Source: ast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Io
Source: ast.exe, 0000000A.00000002.2979445587.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443K
Source: ast.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443L
Source: ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Ow
Source: ast.exe, 0000000A.00000003.2435889428.0000000006075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443U
Source: ast.exe, 0000000A.00000003.2907031061.00000000060A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Vw
Source: ast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Wl
Source: ast.exe, 0000000A.00000003.2819563853.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443aw
Source: ast.exe, 0000000A.00000003.2856120074.00000000060A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ers
Source: ast.exe, 0000000A.00000003.2551675843.0000000006097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443l
Source: ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443r
Source: ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443sw.~
Source: ast.exe, 0000000A.00000003.2430087607.000000000605F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443t:
Source: ast.exe, 0000000A.00000003.2551550301.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2535632567.000000000607B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526279673.000000000607B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443w
Source: ast.exe, 0000000A.00000003.2552338521.0000000006075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443y
Source: ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443zo-
Source: ast.exe, 0000000A.00000002.2995912080.00000000075CD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiDUdu
Source: ast.exe, 0000000A.00000003.2552338521.0000000006061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai_
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidll03
Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie03
Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2430087607.000000000605F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe
Source: ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe7
Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexel
Source: ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aill
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillll
Source: ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillx;
Source: ast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiq
Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ais.dll
Source: ast.exe, 0000000A.00000003.2452887279.0000000006060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.dll
Source: ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.l;
Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aixh-~
Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0D
Source: xcopy.exe, 00000009.00000003.2089288252.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006978493.000000006CA52000.00000002.00000001.01000000.00000013.sdmp, ast.exe, 0000000A.00000002.3000753196.000000006BE60000.00000002.00000001.01000000.00000014.sdmp, is-UA1D6.tmp.3.dr	String found in binary or memory: https://www.openssl.org/H
Source: is-VCJTB.tmp.3.dr	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50178
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49905 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49948 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49964 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50018 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50038 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50071 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50136 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50154 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50160 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50184 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50187 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50190 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED

E-Banking Fraud

Yara detected TVrat

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\im\ast.exe

Code function: 10_2_6B8D8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

10_2_6B8D8010

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8FFEF0	10_2_6B8FFEF0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F6EF0	10_2_6B8F6EF0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8D2D20	10_2_6B8D2D20
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8D7380	10_2_6B8D7380
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8E8A80	10_2_6B8E8A80
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8E3A10	10_2_6B8E3A10
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B910A40	10_2_6B910A40
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8DF950	10_2_6B8DF950
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F1170	10_2_6B8F1170
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B920050	10_2_6B920050
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8FA790	10_2_6B8FA790
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8D7730	10_2_6B8D7730
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B906F40	10_2_6B906F40
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8DEEA0	10_2_6B8DEEA0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B9075D0	10_2_6B9075D0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8FDCD0	10_2_6B8FDCD0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B92BCF0	10_2_6B92BCF0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8F0C10	10_2_6B8F0C10

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: String function: 6B91ED00 appears 32 times
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: String function: 6B8F48E0 appears 32 times
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: String function: 6B9006B0 appears 180 times
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: String function: 6B9005D0 appears 213 times

PE file contains executable resources (Code or Archives)

Source: wjpP1EOX0L.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wjpP1EOX0L.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wjpP1EOX0L.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wjpP1EOX0L.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002576000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs wjpP1EOX0L.exe
Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FE32000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs wjpP1EOX0L.exe

Uses 32bit PE files

Source: wjpP1EOX0L.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal68.troj.evad.winEXE@15/60@11/3

Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslNBC07263F-BB1A-48FB-BEDA-5E5CFBC91BB8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\3 @
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrNBC07263F-BB1A-48FB-BEDA-5E5CFBC91BB8
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470Dv6

Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe"
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe"
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe"
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m	Jump to behavior
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe"	Jump to behavior

Source: is-4POLO.tmp.3.dr	Static PE information: section name: .rodata
Source: is-82POG.tmp.3.dr	Static PE information: section name: .textbss
Source: is-82POG.tmp.3.dr	Static PE information: section name: .msvcjmc
Source: is-82POG.tmp.3.dr	Static PE information: section name: .00cfg
Source: is-SD6OU.tmp.3.dr	Static PE information: section name: .00cfg
Source: is-UA1D6.tmp.3.dr	Static PE information: section name: .00cfg
Source: is-ND9BQ.tmp.3.dr	Static PE information: section name: .code
Source: quartz.dll.9.dr	Static PE information: section name: .code
Source: astrct.dll.9.dr	Static PE information: section name: .rodata
Source: hatls.dll.9.dr	Static PE information: section name: .textbss
Source: hatls.dll.9.dr	Static PE information: section name: .msvcjmc
Source: hatls.dll.9.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.9.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.9.dr	Static PE information: section name: .00cfg

Source: is-88TFK.tmp.3.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.9.dr	Static PE information: section name: .text entropy: 6.95576372950548

Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\aw_sas32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\quartz.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\quartz.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\AstCrp.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\opus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\hatls.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\ast.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libcryptoMD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\astrct.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\astclient.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	File created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\ast.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\AstCrp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	File created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\libcrypto-1_1.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\im\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	File created: C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asg	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asg	Jump to behavior

Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wjpP1EOX0L.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\im\ast.exe	RDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\im\ast.exe	RDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\im\ast.exe	RDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\im\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F86D453B8D5h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F86D453B8B9h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Roaming\im\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F86D453B8D5h 0x0000000d dec ecx 0x0000000e jne 00007F86D453B8B9h 0x00000010 rdtsc

Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\aw_sas32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\astrct.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\astclient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\opus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\hatls.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libcryptoMD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Last function: Thread delayed

Source: ast.exe.9.dr	Binary or memory string: VMware
Source: ast.exe, 0000000B.00000002.2513073562.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: ast.exe.9.dr	Binary or memory string: VBoxService.exe
Source: ast.exe, 0000000B.00000002.2513073562.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wjpP1EOX0L.tmp, 00000001.00000002.1718627243.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
Source: ast.exe, 0000000A.00000002.2979445587.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{L
Source: ast.exe.9.dr	Binary or memory string: VMWare
Source: ast.exe.9.dr	Binary or memory string: VBoxService.exeU

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B931C01 mov eax, dword ptr fs:[00000030h]		10_2_6B931C01
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B92C43E mov eax, dword ptr fs:[00000030h]		10_2_6B92C43E

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B91EB81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6B91EB81
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B92EFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_6B92EFE1
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B91DC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_6B91DC3A

Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	Binary or memory string: Shell_TrayWndSVW
Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	Binary or memory string: Shell_TrayWnd
Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.dr	Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B906D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,	10_2_6B906D50
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8D39A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	10_2_6B8D39A0
Source: C:\Users\user\AppData\Roaming\im\ast.exe	Code function: 10_2_6B8DEEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,	10_2_6B8DEEA0

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.169.65	id.xn--80akicokc0aablc.xn--p1ai	Russian Federation		60329	SAFIB-ASRU	false
195.19.105.66	trs011.xn--80akicokc0aablc.xn--p1ai	Russian Federation		12389	ROSTELECOM-ASRU	false

Name	IP	Active
trs011.xn--80akicokc0aablc.xn--p1ai	195.19.105.66	true
id.xn--80akicokc0aablc.xn--p1ai	212.193.169.65	true
crypto-st.art	unknown	unknown

Windows Analysis Report wjpP1EOX0L.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
wjpP1EOX0L.exe

Malware Threat Intel
Provided by

ID:	1558734
Product:	CloudBasic
Start time:	18:54:06
Start date:	19.11.2024
Sample:	wjpP1EOX0L.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	34dc961fe0a98ea779d7b673a48c77a0
SHA1:	7f3cf770da67a60d60c79c82df85eef66eb80d8e
SHA256:	7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	90FC739C83CD19766ACB562C66A7D0E2	451F385A53D5FED15E7649E7891E05F231EF549A	821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431
C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	90FC739C83CD19766ACB562C66A7D0E2	451F385A53D5FED15E7649E7891E05F231EF549A	821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431
C:\Users\user\AppData\Local\Temp\mo6x\3bzcw9.cfg (copy)	data	005E5B1F92F1560540725F159D1542B1	5E1B84A12D4BD5170803158700B325795E97A3A1	4A848BDC62E826571E5D01B16D09935C902B2080CBF913A185B9A33C925CA7D4
C:\Users\user\AppData\Local\Temp\mo6x\AstCrp.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Local\Temp\mo6x\ast.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Local\Temp\mo6x\config.ini (copy)	ASCII text, with CRLF line terminators	5D7974984AE3D593B7887CC7BDA866DD	9C0B2EC2659812F1E46F2D32F82E61DF223C674C	7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Local\Temp\mo6x\is-2LPS2.tmp	data	005E5B1F92F1560540725F159D1542B1	5E1B84A12D4BD5170803158700B325795E97A3A1	4A848BDC62E826571E5D01B16D09935C902B2080CBF913A185B9A33C925CA7D4
C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Local\Temp\mo6x\is-4UFKS.tmp	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3	2302BC48A162783A6A41C278B3F54145	8C3272769F604DC3AE6C6B98A29CC779532D1783	1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Local\Temp\mo6x\is-AFM1F.tmp	ASCII text, with CRLF line terminators	5D7974984AE3D593B7887CC7BDA866DD	9C0B2EC2659812F1E46F2D32F82E61DF223C674C	7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F9EE295F34E22150DB8EDD2392482148	60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4	5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E
C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Local\Temp\mo6x\libcrypto-1_1.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Local\Temp\mo6x\libssl-1_1.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Local\Temp\mo6x\mk7r31.bmp (copy)	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3	2302BC48A162783A6A41C278B3F54145	8C3272769F604DC3AE6C6B98A29CC779532D1783	1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Local\Temp\mo6x\quartz.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F9EE295F34E22150DB8EDD2392482148	60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4	5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E
C:\Users\user\AppData\Roaming\im\3bzcw9.cfg	data	71B4245ABD801E82ECC8CB1571F8F52E	CD8ADA2E8089936C031937232E09E385FB402DDC	4BE589771AC3BE4AE5B94590AFC39AEA664FBF400C651FBD268B48436FA509A7
C:\Users\user\AppData\Roaming\im\AstCrp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Roaming\im\ast.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Roaming\im\astclient.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Roaming\im\astrct.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Roaming\im\aw_sas32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Roaming\im\config.ini	ASCII text, with CRLF line terminators	5D7974984AE3D593B7887CC7BDA866DD	9C0B2EC2659812F1E46F2D32F82E61DF223C674C	7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
C:\Users\user\AppData\Roaming\im\hatls.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Roaming\im\libcrypto-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Roaming\im\libcryptoMD.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Roaming\im\libcurl.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Roaming\im\libeay32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Roaming\im\libssl-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Roaming\im\mk7r31.bmp	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3	2302BC48A162783A6A41C278B3F54145	8C3272769F604DC3AE6C6B98A29CC779532D1783	1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
C:\Users\user\AppData\Roaming\im\msvcr120.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Roaming\im\opus.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Roaming\im\quartz.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F9EE295F34E22150DB8EDD2392482148	60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4	5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E