Windows Analysis Report
aeyh21MAtA.exe

AV Detection

Source: aeyh21MAtA.exe

Avira: detected

Source: aeyh21MAtA.exe

ReversingLabs: Detection: 36%

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

Cryptography

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B778010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,		10_2_6B778010
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7920A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		10_2_6B7920A0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_07004ED6 CryptStringToBinaryA,CryptStringToBinaryA,		11_2_07004ED6

Source: ast.exe, 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a26e66f5-e

Compliance

Source: aeyh21MAtA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50070 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50154 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50160 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50166 version: TLS 1.2

Source:	Binary string: vcruntime140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2447777452.000000000325D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3372819038.000000006BE10000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcomp140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000008.00000003.2454654792.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: vcomp140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr

Spreading

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_3_070025DB FindFirstFileA,FindNextFileA,FindClose,		11_3_070025DB
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_070025DB lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,		11_2_070025DB

Networking

Source: global traffic

TCP traffic: 192.168.2.5:49983 -> 212.193.169.65:44335

Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7A09F0 recv,send,WSAGetLastError,

10_2_6B7A09F0

Source: global traffic

DNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai

Source: unknown

HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269

Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.
Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D67000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ast.exe, 0000000C.00000002.2942134917.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crypto-st.art/update.php
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: ast.exe, 0000000A.00000003.3020160381.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.
Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr60;
Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://restools.hanzify.org/
Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ZZY
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/r
Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
Source: ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt0
Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types.
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types;QpM
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typese
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesh
Source: ast.exe, 0000000B.00000002.2862003498.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesnu
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typeste
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesui
Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesvider
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesw
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesw_sas3Y
Source: is-TBGHD.tmp.4.dr	String found in binary or memory: http://www.indyproject.org/
Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: aeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.000000000237E000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000003.00000003.2454108378.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023CE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kngstr.com/?PreDefines.ish
Source: aeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2075277683.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.0000000002385000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2079075667.0000000003250000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023D5000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kngstr.com/?PreDefines.ishAbout
Source: is-TBGHD.tmp.4.dr	String found in binary or memory: http://www.openssl.org/)
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.dr	String found in binary or memory: https://curl.haxx.se/V
Source: ast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.dr	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: ast.exe, ast.exe, 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ast.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: ast.exe, 0000000A.00000002.3361561204.0000000005CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn-
Source: ast.exe, 0000000A.00000003.3338883178.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80ak
Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akico
Source: ast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aa
Source: ast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.
Source: ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p$
Source: is-TBGHD.tmp.4.dr	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
Source: ast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
Source: ast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai1
Source: ast.exe, 0000000A.00000002.3348750365.0000000003374000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai443...
Source: ast.exe, 0000000A.00000003.3264857508.0000000005D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44
Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
Source: ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443$
Source: ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-0
Source: ast.exe, 0000000A.00000003.3265913117.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443.
Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43aU
Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...AW
Source: ast.exe, 0000000A.00000002.3342382296.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
Source: ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/AstClnog
Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/ING=Defaui
Source: ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Log
Source: ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D67000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178152497.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D6B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
Source: ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44300
Source: ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44302
Source: ast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
Source: ast.exe, 0000000A.00000002.3348750365.0000000003382000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3018890151.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3348750365.000000000337B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3018890151.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3019905898.0000000005D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335...
Source: ast.exe, 0000000A.00000002.3348750365.000000000337B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335......
Source: ast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/
Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/api/exec
Source: ast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/templatep
Source: ast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335i:443y
Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44359
Source: ast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224217384.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4438
Source: ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4439
Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44396
Source: ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443:V
Source: ast.exe, 0000000A.00000002.3356437009.0000000004418000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443AUB
Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443CBOs
Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087444966.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178707233.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3363176686.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3338883178.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443JV
Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443K
Source: ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443NUGx
Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443OW
Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Os
Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443U
Source: ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443VV
Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443VW~x
Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443_Vpy
Source: ast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443f
Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g
Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g8P
Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g~
Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443h
Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443i
Source: ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443iVfy
Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443k
Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443l~
Source: ast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443mUbx
Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443n
Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443rV
Source: ast.exe, 0000000A.00000003.3103917817.0000000005D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443t
Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ts
Source: ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443uV
Source: ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443uin
Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443vU
Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443w
Source: ast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiCY
Source: ast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiIZ
Source: ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiVZ
Source: ast.exe, 0000000A.00000002.3344815019.0000000003064000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
Source: ast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aihY
Source: ast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aii
Source: ast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aij
Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiv
Source: ast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0ar
Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0D
Source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032A2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368385814.000000006BBD2000.00000002.00000001.01000000.00000012.sdmp, ast.exe, 0000000A.00000002.3374557553.000000006BE40000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr	String found in binary or memory: https://www.openssl.org/H
Source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/faq.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49980 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49995 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50007 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50055 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50070 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50073 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50076 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50079 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50082 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50085 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50088 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50094 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50097 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50100 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50103 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50109 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50112 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50115 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50118 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50121 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50124 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50130 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50133 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50139 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50145 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50148 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50151 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50154 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50160 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50166 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

E-Banking Fraud

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B778010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

10_2_6B778010

System Summary

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B79FEF0		10_2_6B79FEF0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B796EF0		10_2_6B796EF0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B772D20		10_2_6B772D20
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B777380		10_2_6B777380
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B791170		10_2_6B791170
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7A6F40		10_2_6B7A6F40
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B777730		10_2_6B777730
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B79A790		10_2_6B79A790
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B77EEA0		10_2_6B77EEA0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7A75D0		10_2_6B7A75D0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7CBCF0		10_2_6B7CBCF0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B79DCD0		10_2_6B79DCD0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E218FA		11_2_61E218FA
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E4100E		11_2_61E4100E
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E27808		11_2_61E27808
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E292FF		11_2_61E292FF
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E15A83		11_2_61E15A83
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E4E294		11_2_61E4E294
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E38D3B		11_2_61E38D3B
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E4151E		11_2_61E4151E
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E23C36		11_2_61E23C36
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E3BF85		11_2_61E3BF85
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E1F6C5		11_2_61E1F6C5
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E1CE5B		11_2_61E1CE5B

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: String function: 6B7A06B0 appears 83 times
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: String function: 6B7A05D0 appears 122 times

Source: aeyh21MAtA.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: aeyh21MAtA.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: aeyh21MAtA.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: aeyh21MAtA.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: aeyh21MAtA.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: aeyh21MAtA.exe, 00000000.00000003.2076256080.0000000002553000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs aeyh21MAtA.exe
Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FE3F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs aeyh21MAtA.exe

Source: aeyh21MAtA.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal88.troj.evad.winEXE@16/65@2/2

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 11_3_070013E5 CreateToolhelp32Snapshot,Process32First,Process32Next,Sleep,

11_3_070013E5

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrNDE3088FE-2234-4D4D-9206-D65E12CF2A75
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslNDE3088FE-2234-4D4D-9206-D65E12CF2A75
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\3 @
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470DE1
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03

Source: C:\Users\user\Desktop\aeyh21MAtA.exe

File created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp

Jump to behavior

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""

Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\aeyh21MAtA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: aeyh21MAtA.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\aeyh21MAtA.exe

File read: C:\Users\user\Desktop\aeyh21MAtA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe"
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"			Jump to behavior

Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Section loaded: explorerframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: olepro32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sqlite3.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: crtdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: quartz.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msvfw32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: avifil32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: colorui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mscms.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coloradapterclient.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: compstui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: inetres.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: security.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dbgcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: astcrp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: libssl-1_1.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: libcrypto-1_1.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: vcruntime140.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: olepro32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sqlite3.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: crtdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: quartz.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msvfw32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: avifil32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: colorui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mscms.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coloradapterclient.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: compstui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: inetres.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: security.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: olepro32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sqlite3.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: crtdll.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: quartz.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msvfw32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: avifil32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msacm32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winmmbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: colorui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: mscms.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: coloradapterclient.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: compstui.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: inetres.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: msimg32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: security.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Section loaded: sxs.dll			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\xcopy.exe

File written: C:\Users\user\AppData\Roaming\template\config.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: aeyh21MAtA.exe

Static file information: File size 7234714 > 1048576

Source:	Binary string: vcruntime140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2447777452.000000000325D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3372819038.000000006BE10000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcomp140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000008.00000003.2454654792.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: vcomp140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr

Data Obfuscation

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7AAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,

10_2_6B7AAE50

Source: is-SNDPS.tmp.4.dr	Static PE information: section name: .rodata
Source: is-S3CIC.tmp.4.dr	Static PE information: section name: .textbss
Source: is-S3CIC.tmp.4.dr	Static PE information: section name: .msvcjmc
Source: is-S3CIC.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-E6DJ2.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-GPS00.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-JCRD8.tmp.4.dr	Static PE information: section name: .code
Source: libssl-1_1.dll.8.dr	Static PE information: section name: .00cfg
Source: quartz.dll.8.dr	Static PE information: section name: .code
Source: astrct.dll.8.dr	Static PE information: section name: .rodata
Source: hatls.dll.8.dr	Static PE information: section name: .textbss
Source: hatls.dll.8.dr	Static PE information: section name: .msvcjmc
Source: hatls.dll.8.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.8.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7D9F78 push ecx; ret

10_2_6B7D9F76

Source: is-MU1HO.tmp.4.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.8.dr	Static PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libcrypto-1_1.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\astclient.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\ast.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-JCRD8.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\quartz.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\opus.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcrypto-1_1.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\astrct.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\msvcr120.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\AstCrp.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\aw_sas32.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libcurl.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\ast.exe (copy)			Jump to dropped file
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	File created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libeay32.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libcryptoMD.dll			Jump to dropped file
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	File created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libssl-1_1.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libssl-1_1.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\AstCrp.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\quartz.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\libjpeg-turbo-win.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\template\hatls.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	File created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmp			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ast			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ast			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ast			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ast			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (15).png

Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\aeyh21MAtA.exe	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Roaming\template\ast.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter

Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\template\ast.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Section loaded: OutputDebugStringW count: 1841

Source: C:\Users\user\AppData\Roaming\template\ast.exe	RDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\template\ast.exe	RDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\template\ast.exe	RDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\template\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F824CC642A5h 0x0000000d dec ecx 0x0000000e jne 00007F824CC64289h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\template\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F824CC642A5h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F824CC64289h 0x00000013 rdtsc

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Window / User API: threadDelayed 3592

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\astclient.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libcryptoMD.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-JCRD8.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\opus.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\astrct.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\msvcr120.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libjpeg-turbo-win.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\aw_sas32.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libcurl.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\hatls.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmp			Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libeay32.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\template\ast.exe

API coverage: 2.8 %

Source: C:\Users\user\AppData\Roaming\template\ast.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_3_070025DB FindFirstFileA,FindNextFileA,FindClose,		11_3_070025DB
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_070025DB lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,		11_2_070025DB

Source: is-TBGHD.tmp.4.dr	Binary or memory string: VMware
Source: is-TBGHD.tmp.4.dr	Binary or memory string: VBoxService.exe
Source: aeyh21MAtA.tmp, 00000001.00000002.2083863637.000000000063C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: aeyh21MAtA.tmp, 00000001.00000002.2083863637.000000000063C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%
Source: is-TBGHD.tmp.4.dr	Binary or memory string: VMWare
Source: ast.exe, 0000000B.00000002.2862003498.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: ast.exe, 0000000A.00000002.3342382296.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2941388188.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: is-TBGHD.tmp.4.dr	Binary or memory string: VBoxService.exeU

Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_6B7CEFE1

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7AAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,

10_2_6B7AAE50

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7CC43E mov eax, dword ptr fs:[00000030h]		10_2_6B7CC43E
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7D1C01 mov eax, dword ptr fs:[00000030h]		10_2_6B7D1C01
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_3_07001E1D mov edi, dword ptr fs:[00000030h]		11_3_07001E1D

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_6B7CEFE1
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7BDC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		10_2_6B7BDC3A

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp	Process created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"			Jump to behavior

Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	Binary or memory string: Shell_TrayWndSVW
Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	Binary or memory string: Shell_TrayWnd
Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.dr	Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 10_2_6B7CFBD1 GetSystemTimeAsFileTime,

10_2_6B7CFBD1

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Code function: 11_3_070021FF GetUserNameA,

11_3_070021FF

Source: C:\Users\user\AppData\Roaming\template\ast.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: ast.exe, ast.exe, 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp

Binary or memory string: PROCEXP.EXE

Stealing of Sensitive Information

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7A6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,		10_2_6B7A6D50
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B7739A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,		10_2_6B7739A0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 10_2_6B77EEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,		10_2_6B77EEA0
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E168FD sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,		11_2_61E168FD
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E283DC sqlite3_bind_blob64,		11_2_61E283DC
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E283B5 sqlite3_mutex_leave,sqlite3_bind_blob,		11_2_61E283B5
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E285E9 sqlite3_bind_zeroblob,sqlite3_mutex_leave,		11_2_61E285E9
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E095A5 sqlite3_bind_parameter_index,		11_2_61E095A5
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E285B8 sqlite3_bind_null,sqlite3_mutex_leave,		11_2_61E285B8
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E03587 sqlite3_bind_parameter_name,		11_2_61E03587
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E28592 sqlite3_bind_int,sqlite3_bind_int64,		11_2_61E28592
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E03575 sqlite3_bind_parameter_count,		11_2_61E03575
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E28543 sqlite3_bind_int64,sqlite3_mutex_leave,		11_2_61E28543
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E284DE sqlite3_bind_double,sqlite3_mutex_leave,		11_2_61E284DE
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E284B7 sqlite3_bind_text16,		11_2_61E284B7
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E2844A sqlite3_bind_text64,		11_2_61E2844A
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E28423 sqlite3_bind_text,		11_2_61E28423
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E1672A sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,		11_2_61E1672A
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E2873D sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,		11_2_61E2873D
Source: C:\Users\user\AppData\Roaming\template\ast.exe	Code function: 11_2_61E28656 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,		11_2_61E28656